[PATCH] SE-PostgreSQL Security Policy

[PATCH] SE-PostgreSQL Security Policy

[Kohei KaiGai]

[-- Attachment #1: Type: text/plain, Size: 495 bytes --]

The attached patch adds support for SE-PostgreSQL.
Most part of them are same as currently we are distributing via RPM package.

This patch adds some booleans, attributes and types.
You can find out the detailed description about works of them in the chapter 5
of "The Security-Enhanced PostgreSQL Security Guide".
See, http://sepgsql.googlecode.com/files/sepgsql_security_guide.20070903.en.pdf

Any comment please,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: refpolicy-sepostgresql.patch --]
[-- Type: text/x-patch, Size: 16151 bytes --]

Index: refpolicy/policy/modules/services/sepostgresql.fc
===================================================================
--- refpolicy/policy/modules/services/sepostgresql.fc	(revision 0)
+++ refpolicy/policy/modules/services/sepostgresql.fc	(revision 0)
@@ -0,0 +1,10 @@
+#
+# SE-PostgreSQL install path
+#
+/usr/bin/sepostgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/initdb.sepgsql		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/sepg_ctl		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/var/lib/sepgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/sepgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/sepostgresql\.log.*	--	gen_context(system_u:object_r:postgresql_log_t,s0)
Index: refpolicy/policy/modules/services/sepostgresql.if
===================================================================
--- refpolicy/policy/modules/services/sepostgresql.if	(revision 0)
+++ refpolicy/policy/modules/services/sepostgresql.if	(revision 0)
@@ -0,0 +1,88 @@
+## <summary>SE-PostgreSQL relational database</summary>
+
+########################################
+## <summary>
+##     marks as a server process of SE-PostgreSQL.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`sepgsql_server_domain',`
+	gen_require(`
+		attribute sepgsql_server_type;
+	')
+	typeattribute $1 sepgsql_server_type;
+')
+
+########################################
+## <summary>
+##     marks as a administrative client process of SE-PostgreSQL.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     A domain marked as a administrative client domain
+##     </summary>
+## </param>
+#
+interface(`sepgsql_database_admin_domain',`
+	gen_require(`
+		attribute sepgsql_admin_type;
+		attribute sepgsql_users_type;
+	')
+	typeattribute $1 sepgsql_admin_type;
+	typeattribute $1 sepgsql_users_type;
+')
+
+########################################
+## <summary>
+##     marks as a generic client process of SE-PostgreSQL.
+## </summary>
+## <param name="type">
+##     <summary>
+##     A domain marked as a generic client domain
+##     </summary>
+## </param>
+#
+interface(`sepgsql_database_user_domain',`
+	gen_require(`
+		attribute sepgsql_users_type;
+	')
+	typeattribute $1 sepgsql_users_type;
+')
+
+########################################
+## <summary>
+##     marks as a generic client process of SE-PostgreSQL.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role to allow the trusted procedure domain.
+##      </summary>
+## </param>
+#
+interface(`sepgsql_database_client_role',`
+	gen_require(`
+		type sepgsql_trusted_domain_t;
+	')
+	role $1 types sepgsql_trusted_domain_t;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL loadable shared library module
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`sepgsql_module_object',`
+	gen_require(`
+		attribute sepgsql_module_type;
+	')
+	typeattribute $1 sepgsql_module_type;
+')
Index: refpolicy/policy/modules/services/apache.te
===================================================================
--- refpolicy/policy/modules/services/apache.te	(revision 2600)
+++ refpolicy/policy/modules/services/apache.te	(working copy)
@@ -482,6 +482,10 @@
 ')
 
 optional_policy(`
+	sepgsql_database_user_domain(httpd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(httpd_t)
 ')
 
Index: refpolicy/policy/modules/services/apache.if
===================================================================
--- refpolicy/policy/modules/services/apache.if	(revision 2600)
+++ refpolicy/policy/modules/services/apache.if	(working copy)
@@ -228,6 +228,10 @@
 	optional_policy(`
 		nscd_socket_use(httpd_$1_script_t)
 	')
+
+	optional_policy(`
+		sepgsql_database_user_domain(httpd_$1_script_t)
+	')
 ')
 
 #######################################
Index: refpolicy/policy/modules/services/postgresql.te
===================================================================
--- refpolicy/policy/modules/services/postgresql.te	(revision 2600)
+++ refpolicy/policy/modules/services/postgresql.te	(working copy)
@@ -160,6 +160,10 @@
 ')
 
 optional_policy(`
+	sepgsql_server_domain(postgresql_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(postgresql_t)
 ')
 
Index: refpolicy/policy/modules/services/sepostgresql.te
===================================================================
--- refpolicy/policy/modules/services/sepostgresql.te	(revision 0)
+++ refpolicy/policy/modules/services/sepostgresql.te	(revision 0)
@@ -0,0 +1,239 @@
+policy_module(sepostgresql,3.0)
+
+gen_require(`
+	all_userspace_class_perms
+
+	type unlabeled_t;
+	attribute file_type;
+	type lib_t, textrel_shlib_t;
+')
+
+#################################
+#
+# Declarations of SE-PostgreSQL booleans
+#
+
+## <desc>
+## <p>
+## Allow to enable unconfined domains
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_unconfined, true)
+
+## <desc>
+## <p>
+## Allow to generate auditallow logs
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_auditallow, false)
+
+## <desc>
+## <p>
+## Allow to generate auditdeny logs
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_auditdeny,  true)
+
+## <desc>
+## <p>
+## Allow to generate audit(allow|deny) logs for tuples
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_audittuple, false)
+
+## <desc>
+## <p>
+## Allow unprived users to execute DDL statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_users_ddl,  true)
+
+#################################
+#
+# Declarations of type/attributes
+#
+
+## Database Server/Client Attributes
+attribute sepgsql_server_type;
+attribute sepgsql_admin_type;
+attribute sepgsql_users_type;
+
+## Database Object Attributes
+attribute sepgsql_database_type;
+attribute sepgsql_table_type;
+attribute sepgsql_procedure_type;
+attribute sepgsql_blob_type;
+attribute sepgsql_module_type;
+
+## Database Trusted Domain
+type sepgsql_trusted_domain_t;
+domain_type(sepgsql_trusted_domain_t)
+sepgsql_database_admin_domain(sepgsql_trusted_domain_t)
+
+## Database Object Types
+type sepgsql_db_t,		sepgsql_database_type;
+
+type sepgsql_table_t,		sepgsql_table_type;
+type sepgsql_sysobj_t,		sepgsql_table_type;
+type sepgsql_secret_table_t,	sepgsql_table_type;
+type sepgsql_ro_table_t,	sepgsql_table_type;
+type sepgsql_fixed_table_t,	sepgsql_table_type;
+
+type sepgsql_proc_t,		sepgsql_procedure_type;
+type sepgsql_user_proc_t,	sepgsql_procedure_type;
+type sepgsql_trusted_proc_t,	sepgsql_procedure_type;
+
+type sepgsql_blob_t,		sepgsql_blob_type;
+type sepgsql_ro_blob_t,		sepgsql_blob_type;
+type sepgsql_secret_blob_t,	sepgsql_blob_type;
+
+typeattribute unlabeled_t	sepgsql_database_type;
+typeattribute unlabeled_t	sepgsql_table_type;
+typeattribute unlabeled_t	sepgsql_procedure_type;
+typeattribute unlabeled_t	sepgsql_blob_type;
+
+#################################
+#
+# SE-PostgreSQL Type Transitions
+#
+
+# db_database
+type_transition domain domain : db_database sepgsql_db_t;
+
+# db_table
+type_transition sepgsql_server_type sepgsql_database_type : db_table sepgsql_sysobj_t;
+type_transition { domain - sepgsql_server_type } sepgsql_database_type : db_table sepgsql_table_t;
+
+# db_procedure
+type_transition sepgsql_server_type sepgsql_database_type : db_procedure sepgsql_proc_t;
+tunable_policy(`sepgsql_enable_unconfined',`
+	type_transition sepgsql_admin_type sepgsql_database_type : db_procedure sepgsql_proc_t;
+',`
+	type_transition sepgsql_admin_type sepgsql_database_type : db_procedure sepgsql_user_proc_t;
+')
+type_transition { domain - sepgsql_server_type - sepgsql_admin_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
+
+# db_blob
+type_transition domain sepgsql_database_type : db_blob sepgsql_blob_t;
+
+# Trusted Procedures
+role system_r types sepgsql_trusted_proc_t;
+type_transition sepgsql_users_type sepgsql_trusted_proc_t : process sepgsql_trusted_domain_t;
+allow sepgsql_users_type sepgsql_trusted_domain_t : process { transition };
+
+#################################
+#
+# SE-PostgreSQL Server Local Policy
+#
+allow sepgsql_server_type self : netlink_selinux_socket create_socket_perms;
+selinux_get_fs_mount(sepgsql_server_type)
+selinux_get_enforce_mode(sepgsql_server_type)
+selinux_validate_context(sepgsql_server_type)
+selinux_compute_access_vector(sepgsql_server_type)
+selinux_compute_create_context(sepgsql_server_type)
+selinux_compute_relabel_context(sepgsql_server_type)
+
+allow sepgsql_server_type sepgsql_database_type : db_database all_db_database_perms;
+allow sepgsql_server_type sepgsql_module_type : db_database { install_module };
+allow sepgsql_server_type sepgsql_table_type : db_table all_db_table_perms;
+allow sepgsql_server_type sepgsql_table_type : db_column all_db_column_perms;
+allow sepgsql_server_type sepgsql_table_type : db_tuple all_db_tuple_perms;
+allow sepgsql_server_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure all_db_procedure_perms;
+allow sepgsql_server_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom relabelto };
+allow sepgsql_server_type sepgsql_blob_type : db_blob all_db_blob_perms;
+allow sepgsql_server_type sepgsql_server_type : db_blob { import export };
+
+#################################
+#
+# SE-PostgreSQL Administrative Domain Local Policy
+#
+tunable_policy(`sepgsql_enable_unconfined',`
+	allow sepgsql_admin_type sepgsql_database_type : db_database all_db_database_perms;
+	allow sepgsql_admin_type sepgsql_module_type : db_database { install_module };
+	allow sepgsql_admin_type sepgsql_table_type : db_table all_db_table_perms;
+	allow sepgsql_admin_type sepgsql_table_type : db_column all_db_column_perms;
+	allow sepgsql_admin_type sepgsql_table_type : db_tuple all_db_tuple_perms;
+	allow sepgsql_admin_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure all_db_procedure_perms;
+	allow sepgsql_admin_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom relabelto };
+	allow sepgsql_admin_type sepgsql_blob_type : db_blob all_db_blob_perms;
+	allow sepgsql_admin_type sepgsql_server_type : db_blob { import export };
+',`
+	allow sepgsql_admin_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr execute };
+	allow sepgsql_admin_type sepgsql_trusted_proc_t : db_procedure { getattr execute entrypoint };
+')
+
+#################################
+#
+# SE-PostgreSQL Users Domain Local Policy
+#
+allow sepgsql_users_type sepgsql_db_t : db_database { getattr access get_param set_param };
+
+allow sepgsql_users_type sepgsql_table_t : db_table { getattr use select update insert delete };
+allow sepgsql_users_type sepgsql_table_t : db_column { getattr use select update insert };
+allow sepgsql_users_type sepgsql_table_t : db_tuple { use select update insert delete };
+
+allow sepgsql_users_type sepgsql_sysobj_t : db_table { getattr use select };
+allow sepgsql_users_type sepgsql_sysobj_t : db_column { getattr use select };
+allow sepgsql_users_type sepgsql_sysobj_t : db_tuple { use select };
+tunable_policy(`sepgsql_enable_users_ddl',`
+	allow sepgsql_users_type sepgsql_table_t : db_table { create drop setattr };
+	allow sepgsql_users_type sepgsql_table_t : db_column { create drop setattr };
+	allow sepgsql_users_type sepgsql_sysobj_t : db_tuple { update insert delete };
+')
+
+allow sepgsql_users_type sepgsql_secret_table_t : db_table { getattr };
+allow sepgsql_users_type sepgsql_secret_table_t : db_column { getattr };
+
+allow sepgsql_users_type sepgsql_ro_table_t : db_table { getattr use select };
+allow sepgsql_users_type sepgsql_ro_table_t : db_column { getattr use select };
+allow sepgsql_users_type sepgsql_ro_table_t : db_tuple { use select };
+
+allow sepgsql_users_type sepgsql_fixed_table_t : db_table { getattr use select insert };
+allow sepgsql_users_type sepgsql_fixed_table_t : db_column { getattr use select insert };
+allow sepgsql_users_type sepgsql_fixed_table_t : db_tuple { use select insert };
+
+allow sepgsql_users_type sepgsql_proc_t : db_procedure { getattr execute };
+allow { sepgsql_users_type - sepgsql_admin_type } sepgsql_user_proc_t : db_procedure { create drop getattr setattr execute };
+allow sepgsql_users_type sepgsql_trusted_proc_t : db_procedure { getattr execute entrypoint };
+
+allow sepgsql_users_type sepgsql_blob_t : db_blob { create drop getattr setattr read write };
+allow sepgsql_users_type sepgsql_ro_blob_t : db_blob { getattr read };
+allow sepgsql_users_type sepgsql_secret_blob_t : db_blob { getattr };
+
+########################################
+#
+# SE-PostgreSQL loadable shared library policy
+#
+
+allow sepgsql_database_type sepgsql_module_type : db_database { load_module };
+sepgsql_module_object(lib_t)
+sepgsql_module_object(textrel_shlib_t)
+
+########################################
+#
+# SE-PostgreSQL audit switch
+#
+tunable_policy(`sepgsql_enable_auditallow',`
+	auditallow domain sepgsql_database_type  : db_database all_db_database_perms;
+	auditallow domain sepgsql_table_type     : db_table all_db_table_perms;
+	auditallow domain sepgsql_table_type     : db_column all_db_column_perms;
+	auditallow domain sepgsql_procedure_type : db_procedure all_db_procedure_perms;
+	auditallow domain sepgsql_blob_type      : db_blob all_db_blob_perms;
+	auditallow domain sepgsql_server_type    : db_blob { import export };
+	auditallow domain file_type              : db_database { install_module };
+')
+tunable_policy(`sepgsql_enable_audittuple && sepgsql_enable_auditallow',`
+	auditallow domain sepgsql_table_type     : db_tuple all_db_tuple_perms;
+')
+tunable_policy(`! sepgsql_enable_auditdeny',`
+	dontaudit domain sepgsql_database_type   : db_database all_db_database_perms;
+	dontaudit domain sepgsql_table_type      : db_table all_db_table_perms;
+	dontaudit domain sepgsql_table_type      : db_column all_db_column_perms;
+	dontaudit domain sepgsql_procedure_type  : db_procedure all_db_procedure_perms;
+	dontaudit domain sepgsql_blob_type       : db_blob all_db_blob_perms;
+	dontaudit domain sepgsql_server_type     : db_blob { import export };
+	dontaudit domain file_type               : db_database { install_module };
+')
+tunable_policy(`! sepgsql_enable_audittuple || ! sepgsql_enable_auditdeny',`
+	dontaudit domain sepgsql_table_type      : db_tuple all_db_tuple_perms;
+')
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy/policy/modules/system/userdomain.if	(revision 2600)
+++ refpolicy/policy/modules/system/userdomain.if	(working copy)
@@ -1203,6 +1203,11 @@
 	optional_policy(`
 		setroubleshoot_stream_connect($1_t)
 	')
+
+	optional_policy(`
+		sepgsql_database_client_role($1_r)
+		sepgsql_database_user_domain($1_t)
+	')
 ')
 
 #######################################
@@ -1367,6 +1372,11 @@
 	optional_policy(`
 		userhelper_exec($1_t)
 	')
+
+	optional_policy(`
+		sepgsql_database_client_role($1_r)
+		sepgsql_database_admin_domain($1_t)
+	')
 ')
 
 ########################################
Index: refpolicy/policy/modules/system/unconfined.te
===================================================================
--- refpolicy/policy/modules/system/unconfined.te	(revision 2600)
+++ refpolicy/policy/modules/system/unconfined.te	(working copy)
@@ -193,6 +193,10 @@
 ')
 
 optional_policy(`
+	sepgsql_database_client_role(unconfined_r)
+')
+
+optional_policy(`
 	usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 
Index: refpolicy/policy/modules/system/unconfined.if
===================================================================
--- refpolicy/policy/modules/system/unconfined.if	(revision 2600)
+++ refpolicy/policy/modules/system/unconfined.if	(working copy)
@@ -88,6 +88,10 @@
 	')
 
 	optional_policy(`
+		sepgsql_database_admin_domain($1)
+	')
+
+	optional_policy(`
 		seutil_create_bin_policy($1)
 		seutil_relabelto_bin_policy($1)
 	')

Re: [PATCH] SE-PostgreSQL Security Policy

[Christopher J. PeBenito]

On Wed, 2008-02-13 at 18:29 +0900, Kohei KaiGai wrote:
> The attached patch adds support for SE-PostgreSQL.
> Most part of them are same as currently we are distributing via RPM package.
> 
> This patch adds some booleans, attributes and types.
> You can find out the detailed description about works of them in the chapter 5
> of "The Security-Enhanced PostgreSQL Security Guide".
> See, http://sepgsql.googlecode.com/files/sepgsql_security_guide.20070903.en.pdf
> 
> Any comment please,

Just like with the X server, I don't believe that sepostgres should have
its own module.  At first glance, there appears to be too many
attributes.  I'm guessing that you're doing the same thing that is done
with the *_unconfined() interfaces.  We mainly do that to optimize size
since unconfined brings in so many rules.  I also see references to
types and attributes that belong do the module.  Also the auditing
tunables seem unneeded; they seem to be more for debugging use.  I think
I can get a better handle on the policy with these revisions.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[Kohei KaiGai]

Christopher J. PeBenito wrote:
> On Wed, 2008-02-13 at 18:29 +0900, Kohei KaiGai wrote:
>> The attached patch adds support for SE-PostgreSQL.
>> Most part of them are same as currently we are distributing via RPM package.
>>
>> This patch adds some booleans, attributes and types.
>> You can find out the detailed description about works of them in the chapter 5
>> of "The Security-Enhanced PostgreSQL Security Guide".
>> See, http://sepgsql.googlecode.com/files/sepgsql_security_guide.20070903.en.pdf
>>
>> Any comment please,
> 
> Just like with the X server, I don't believe that sepostgres should have
> its own module.

OK, I'll make next one as a patch for services/postgresql.*.

> At first glance, there appears to be too many
> attributes.  I'm guessing that you're doing the same thing that is done
> with the *_unconfined() interfaces.  We mainly do that to optimize size
> since unconfined brings in so many rules.

OK, I'll replace current interfaces by the following style's one.

interface(`sepostgresql_unconfined',`
         gen_require(`
                 attribute sepostgresql_unconfined_type;
         ')
         typeattribute $1 sepostgresql_unconfined_type;
')

> I also see references to types and attributes that belong do the module.

Is it unlabel_t and system_r?
Where is the best place to associate them with my local policy?

 > Also the auditing
> tunables seem unneeded; they seem to be more for debugging use.  I think
> I can get a better handle on the policy with these revisions.

Hmm...
The reason why I added these tunables is that database folks told me
that collecting logs in column/tuple level is an attractive feature,
because native DBMS cannot provide fine-grained access control and
cannot collect logs in these level.
Thus, I believe the feature to turn on/off auditing readily should
be remained.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[Kohei KaiGai]

[-- Attachment #1: Type: text/plain, Size: 2115 bytes --]

The attached patch provides security policies related to SE-PostgreSQL.

The followings are updates/unchanges from the previous version submitted
at two weeks ago. These updates replaced most of the part in the previous
one.

- The targets of this patch are moved to services/postgresql.*,
   although the previous one added new entries.
- Any interface got slim. They contains only one TYPEATTRIBUTE
   statement, and postgresql.te allows most of permissions to
   the associated attributes.
* Tunables to turn on/off audit are remained now, because database
   folks told me fine-grained logs are worthwhile feature.

Any comment please,

Thanks,

>> Just like with the X server, I don't believe that sepostgres should have
>> its own module.
> 
> OK, I'll make next one as a patch for services/postgresql.*.
> 
>> At first glance, there appears to be too many
>> attributes.  I'm guessing that you're doing the same thing that is done
>> with the *_unconfined() interfaces.  We mainly do that to optimize size
>> since unconfined brings in so many rules.
> 
> OK, I'll replace current interfaces by the following style's one.
> 
> interface(`sepostgresql_unconfined',`
>         gen_require(`
>                 attribute sepostgresql_unconfined_type;
>         ')
>         typeattribute $1 sepostgresql_unconfined_type;
> ')
> 
>> I also see references to types and attributes that belong do the module.
> 
> Is it unlabel_t and system_r?
> Where is the best place to associate them with my local policy?
> 
>  > Also the auditing
>> tunables seem unneeded; they seem to be more for debugging use.  I think
>> I can get a better handle on the policy with these revisions.
> 
> Hmm...
> The reason why I added these tunables is that database folks told me
> that collecting logs in column/tuple level is an attractive feature,
> because native DBMS cannot provide fine-grained access control and
> cannot collect logs in these level.
> Thus, I believe the feature to turn on/off auditing readily should
> be remained.
> 
> Thanks,


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: refpolicy-sepostgresql.patch --]
[-- Type: text/x-patch, Size: 17276 bytes --]

Index: refpolicy-sepgsql/policy/modules/services/postgresql.if
===================================================================
--- refpolicy-sepgsql/policy/modules/services/postgresql.if	(revision 2626)
+++ refpolicy-sepgsql/policy/modules/services/postgresql.if	(working copy)
@@ -120,3 +120,92 @@
         # Some versions of postgresql put the sock file in /tmp
 	allow $1 postgresql_tmp_t:sock_file write;
 ')
+
+########################################
+## <summary>
+##      Marks the specified domain as SE-PostgreSQL server process.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to be marked
+##      </summary>
+## </param>
+#
+interface(`sepgsql_server_domain',`
+	gen_require(`
+		attribute sepgsql_server_type;
+	')
+	typeattribute $1 sepgsql_server_type;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain unconfined accesses to any database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sepgsql_unconfined_domain',`
+	gen_require(`
+		attribute sepgsql_unconfined_type;
+		attribute sepgsql_client_type;
+	')
+	typeattribute $1 sepgsql_unconfined_type;
+	typeattribute $1 sepgsql_client_type;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain unprivileged accesses to any database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sepgsql_client_domain',`
+	gen_require(`
+		attribute sepgsql_client_type;
+	')
+	typeattribute $1 sepgsql_client_type;
+')
+
+########################################
+## <summary>
+##      Allow the specified role to invoke trusted procedures
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role associated with the domain.
+##	</summary>
+## </param>
+#
+interface(`sepgsql_trusted_procedure_role',`
+	gen_require(`
+		type sepgsql_trusted_domain_t;
+	')
+	role $1 types sepgsql_trusted_domain_t;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL loadable shared library module
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`sepgsql_loadable_module',`
+	gen_require(`
+		attribute sepgsql_module_type;
+	')
+	typeattribute $1 sepgsql_module_type;
+')
Index: refpolicy-sepgsql/policy/modules/services/apache.te
===================================================================
--- refpolicy-sepgsql/policy/modules/services/apache.te	(revision 2626)
+++ refpolicy-sepgsql/policy/modules/services/apache.te	(working copy)
@@ -498,6 +498,10 @@
 	yam_read_content(httpd_t)
 ')
 
+optional_policy(`
+	sepgsql_client_domain(httpd_t)
+')
+
 ########################################
 #
 # Apache helper local policy
Index: refpolicy-sepgsql/policy/modules/services/apache.if
===================================================================
--- refpolicy-sepgsql/policy/modules/services/apache.if	(revision 2626)
+++ refpolicy-sepgsql/policy/modules/services/apache.if	(working copy)
@@ -226,6 +226,10 @@
 	')
 
 	optional_policy(`
+		sepgsql_client_domain(httpd_$1_script_t)
+	')
+
+	optional_policy(`
 		nscd_socket_use(httpd_$1_script_t)
 	')
 ')
Index: refpolicy-sepgsql/policy/modules/services/postgresql.te
===================================================================
--- refpolicy-sepgsql/policy/modules/services/postgresql.te	(revision 2626)
+++ refpolicy-sepgsql/policy/modules/services/postgresql.te	(working copy)
@@ -166,3 +166,230 @@
 optional_policy(`
 	udev_read_db(postgresql_t)
 ')
+
+#################################
+#
+# SE-PostgreSQL Boolean declarations
+#
+
+## <desc>
+## <p>
+## Allow to enable unconfined domains
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_unconfined, true)
+
+## <desc>
+## <p>
+## Allow to generate auditallow logs
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_auditallow, false)
+
+## <desc>
+## <p>
+## Allow to generate auditdeny logs
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_auditdeny,  true)
+
+## <desc>
+## <p>
+## Allow to generate audit(allow|deny) logs for tuples
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_audittuple, false)
+
+## <desc>
+## <p>
+## Allow unprived users to execute DDL statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_users_ddl,  true)
+
+#################################
+#
+# SE-PostgreSQL Type/Attribute declarations
+#
+
+# database subjects
+attribute sepgsql_server_type;
+attribute sepgsql_client_type;
+attribute sepgsql_unconfined_type;
+
+# database objects attribute
+attribute sepgsql_database_type;
+attribute sepgsql_table_type;
+attribute sepgsql_procedure_type;
+attribute sepgsql_blob_type;
+attribute sepgsql_module_type;
+
+# database trusted domain
+type sepgsql_trusted_domain_t;
+
+# database object types
+type sepgsql_db_t,		sepgsql_database_type;
+
+type sepgsql_table_t,		sepgsql_table_type;
+type sepgsql_sysobj_t,		sepgsql_table_type;
+type sepgsql_secret_table_t,	sepgsql_table_type;
+type sepgsql_ro_table_t,	sepgsql_table_type;
+type sepgsql_fixed_table_t,	sepgsql_table_type;
+
+type sepgsql_proc_t,		sepgsql_procedure_type;
+type sepgsql_user_proc_t,	sepgsql_procedure_type;
+type sepgsql_trusted_proc_t,	sepgsql_procedure_type;
+
+type sepgsql_blob_t,		sepgsql_blob_type;
+type sepgsql_ro_blob_t,		sepgsql_blob_type;
+type sepgsql_secret_blob_t,	sepgsql_blob_type;
+
+typeattribute unlabeled_t	sepgsql_database_type;
+typeattribute unlabeled_t	sepgsql_table_type;
+typeattribute unlabeled_t	sepgsql_procedure_type;
+typeattribute unlabeled_t	sepgsql_blob_type;
+
+########################################
+#
+# SE-PostgreSQL Server Local policy
+#                    (sepgsql_server_type)
+
+sepgsql_server_domain(postgresql_t)
+
+allow sepgsql_server_type self : netlink_selinux_socket create_socket_perms;
+selinux_get_fs_mount(sepgsql_server_type)
+selinux_get_enforce_mode(sepgsql_server_type)
+selinux_validate_context(sepgsql_server_type)
+selinux_compute_access_vector(sepgsql_server_type)
+selinux_compute_create_context(sepgsql_server_type)
+selinux_compute_relabel_context(sepgsql_server_type)
+
+allow sepgsql_server_type sepgsql_database_type : db_database *;
+allow sepgsql_server_type sepgsql_module_type : db_database { install_module };
+allow sepgsql_server_type sepgsql_table_type : { db_table db_column db_tuple } *;
+allow sepgsql_server_type sepgsql_procedure_type : db_procedure *;
+allow sepgsql_server_type sepgsql_blob_type : db_blob *;
+
+# server specific type transitions
+type_transition sepgsql_server_type sepgsql_database_type : db_table sepgsql_sysobj_t;
+type_transition sepgsql_server_type sepgsql_database_type : db_procedure sepgsql_proc_t;
+
+########################################
+#
+# SE-PostgreSQL Administrative domain local policy
+#                    (sepgsql_unconfined_type)
+
+tunable_policy(`sepgsql_enable_unconfined',`
+	allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
+	allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
+	allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
+	allow sepgsql_unconfined_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure *;
+	allow sepgsql_unconfined_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom relabelto };
+	allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
+	allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
+
+	type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
+',`
+	type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
+')
+
+########################################
+#
+# SE-PostgreSQL Users domain local policy
+#                     (sepgsql_client_type)
+
+allow sepgsql_client_type sepgsql_db_t : db_database { getattr access get_param set_param};
+
+allow sepgsql_client_type sepgsql_table_t : db_table { getattr use select update insert delete };
+allow sepgsql_client_type sepgsql_table_t : db_column { getattr use select update insert };
+allow sepgsql_client_type sepgsql_table_t : db_tuple { use select update insert delete };
+
+allow sepgsql_client_type sepgsql_sysobj_t : db_table { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t : db_column { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t : db_tuple { use select };
+tunable_policy(`sepgsql_enable_users_ddl',`
+	allow sepgsql_client_type sepgsql_table_t : db_table { create drop setattr };
+	allow sepgsql_client_type sepgsql_table_t : db_column { create drop setattr };
+	allow sepgsql_client_type sepgsql_sysobj_t : db_tuple { update insert delete };
+')
+
+allow sepgsql_client_type sepgsql_secret_table_t : db_table { getattr };
+allow sepgsql_client_type sepgsql_secret_table_t : db_column { getattr };
+
+allow sepgsql_client_type sepgsql_ro_table_t : db_table { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t : db_column { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t : db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_fixed_table_t : db_table { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t : db_column { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t : db_tuple { use select insert };
+
+allow sepgsql_client_type sepgsql_proc_t : db_procedure { getattr execute };
+allow { sepgsql_client_type - sepgsql_unconfined_type } sepgsql_user_proc_t : db_procedure { create drop getattr setattr execute };
+allow sepgsql_client_type sepgsql_trusted_proc_t : db_procedure { getattr execute entrypoint };
+
+allow sepgsql_client_type sepgsql_blob_t : db_blob { create drop getattr setattr read write };
+allow sepgsql_client_type sepgsql_ro_blob_t : db_blob { getattr read };
+allow sepgsql_client_type sepgsql_secret_blob_t : db_blob { getattr };
+
+# call trusted procedure
+type_transition sepgsql_client_type sepgsql_trusted_proc_t : process sepgsql_trusted_domain_t;
+allow sepgsql_client_type sepgsql_trusted_domain_t : process { transition };
+
+# type transitions for rest of domains
+type_transition domain domain : db_database sepgsql_db_t;
+type_transition { domain - sepgsql_server_type } sepgsql_database_type : db_table sepgsql_table_t;
+type_transition { domain - sepgsql_server_type - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
+type_transition domain sepgsql_database_type : db_blob sepgsql_blob_t;
+
+########################################
+#
+# SE-PostgreSQL Misc policies
+#
+
+# Trusted Procedure Domain
+domain_type(sepgsql_trusted_domain_t)
+role system_r types sepgsql_trusted_domain_t;
+sepgsql_unconfined_domain(sepgsql_trusted_domain_t)
+
+# The following permissions are allowed, even if sepgsql_enable_unconfined is disabled.
+allow sepgsql_trusted_domain_t sepgsql_database_type : db_database { getattr setattr access get_param set_param};
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_table { getattr use select update insert delete lock };
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_column { getattr use select update insert };
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_tuple { use select update insert delete };
+
+allow sepgsql_trusted_domain_t { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure { getattr execute };
+allow sepgsql_trusted_domain_t sepgsql_user_proc_t : db_procedure { getattr };
+allow sepgsql_trusted_domain_t sepgsql_blob_type : db_blob { getattr setattr read write };
+
+# Database/Loadable module
+allow sepgsql_database_type sepgsql_module_type : db_database { load_module };
+
+########################################
+#
+# SE-PostgreSQL audit switch
+#
+tunable_policy(`sepgsql_enable_auditallow',`
+	auditallow domain sepgsql_database_type  : db_database all_db_database_perms;
+	auditallow domain sepgsql_table_type     : db_table all_db_table_perms;
+	auditallow domain sepgsql_table_type     : db_column all_db_column_perms;
+	auditallow domain sepgsql_procedure_type : db_procedure all_db_procedure_perms;
+	auditallow domain sepgsql_blob_type      : db_blob all_db_blob_perms;
+	auditallow domain sepgsql_server_type    : db_blob { import export };
+	auditallow domain sepgsql_module_type    : db_database { install_module };
+')
+tunable_policy(`sepgsql_enable_audittuple && sepgsql_enable_auditallow',`
+	auditallow domain sepgsql_table_type     : db_tuple all_db_tuple_perms;
+')
+tunable_policy(`! sepgsql_enable_auditdeny',`
+	dontaudit domain sepgsql_database_type   : db_database all_db_database_perms;
+	dontaudit domain sepgsql_table_type      : db_table all_db_table_perms;
+	dontaudit domain sepgsql_table_type      : db_column all_db_column_perms;
+	dontaudit domain sepgsql_procedure_type  : db_procedure all_db_procedure_perms;
+	dontaudit domain sepgsql_blob_type       : db_blob all_db_blob_perms;
+	dontaudit domain sepgsql_server_type     : db_blob { import export };
+	dontaudit domain sepgsql_module_type     : db_database { install_module };
+')
+tunable_policy(`! sepgsql_enable_audittuple || ! sepgsql_enable_auditdeny',`
+	dontaudit domain sepgsql_table_type      : db_tuple all_db_tuple_perms;
+')
Index: refpolicy-sepgsql/policy/modules/services/postgresql.fc
===================================================================
--- refpolicy-sepgsql/policy/modules/services/postgresql.fc	(revision 2626)
+++ refpolicy-sepgsql/policy/modules/services/postgresql.fc	(working copy)
@@ -6,8 +6,9 @@
 #
 # /usr
 #
-/usr/bin/initdb			--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/initdb(\.sepgsql)?	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/(se)?postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/sepg_ctl		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /usr/lib/pgsql/test/regres(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
 /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
@@ -30,8 +31,12 @@
 /var/lib/pgsql/data(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
 /var/lib/pgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)
 
+/var/lib/sepgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/sepgsql/pgstartup\.log	--	gen_context(system_u:object_r:postgresql_log_t,s0)
+
 /var/log/postgres\.log.* 	--	gen_context(system_u:object_r:postgresql_log_t,s0)
 /var/log/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/sepostgresql\.log.*	--	gen_context(system_u:object_r:postgresql_log_t,s0)
 
 ifdef(`distro_redhat', `
 /var/log/rhdb/rhdb(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
Index: refpolicy-sepgsql/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-sepgsql/policy/modules/system/userdomain.if	(revision 2626)
+++ refpolicy-sepgsql/policy/modules/system/userdomain.if	(working copy)
@@ -1201,6 +1201,11 @@
 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')
 
+	optional_policy(`
+		sepgsql_client_domain($1_t)
+		sepgsql_trusted_procedure_role($1_r)
+	')
+
 	# Run pppd in pppd_t by default for user
 	optional_policy(`
 		ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@@ -1371,6 +1376,10 @@
 	')
 
 	optional_policy(`
+		sepgsql_unconfined_domain($1_t)
+	')
+
+	optional_policy(`
 		userhelper_exec($1_t)
 	')
 ')
Index: refpolicy-sepgsql/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-sepgsql/policy/modules/system/unconfined.te	(revision 2626)
+++ refpolicy-sepgsql/policy/modules/system/unconfined.te	(working copy)
@@ -189,6 +189,10 @@
 ')
 
 optional_policy(`
+	sepgsql_trusted_procedure_role(unconfined_r)
+')
+
+optional_policy(`
 	tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 
Index: refpolicy-sepgsql/policy/modules/system/libraries.te
===================================================================
--- refpolicy-sepgsql/policy/modules/system/libraries.te	(revision 2626)
+++ refpolicy-sepgsql/policy/modules/system/libraries.te	(working copy)
@@ -103,3 +103,8 @@
 	# blow up.
 	rpm_manage_script_tmp_files(ldconfig_t)
 ')
+
+optional_policy(`
+	sepgsql_loadable_module(lib_t)
+	sepgsql_loadable_module(textrel_shlib_t)
+')
Index: refpolicy-sepgsql/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-sepgsql/policy/modules/system/unconfined.if	(revision 2626)
+++ refpolicy-sepgsql/policy/modules/system/unconfined.if	(working copy)
@@ -88,6 +88,10 @@
 	')
 
 	optional_policy(`
+		sepgsql_unconfined_domain($1)
+	')
+
+	optional_policy(`
 		seutil_create_bin_policy($1)
 		seutil_relabelto_bin_policy($1)
 	')

Re: [PATCH] SE-PostgreSQL Security Policy

[KaiGai Kohei]

Kohei KaiGai wrote:
> The attached patch provides security policies related to SE-PostgreSQL.
> 
> The followings are updates/unchanges from the previous version submitted
> at two weeks ago. These updates replaced most of the part in the previous
> one.
> 
> - The targets of this patch are moved to services/postgresql.*,
>   although the previous one added new entries.
> - Any interface got slim. They contains only one TYPEATTRIBUTE
>   statement, and postgresql.te allows most of permissions to
>   the associated attributes.
> * Tunables to turn on/off audit are remained now, because database
>   folks told me fine-grained logs are worthwhile feature.
> 
> Any comment please,
> 
> Thanks,

Chris,

What is the current status of the patch?

>>> Just like with the X server, I don't believe that sepostgres should have
>>> its own module.
>>
>> OK, I'll make next one as a patch for services/postgresql.*.
>>
>>> At first glance, there appears to be too many
>>> attributes.  I'm guessing that you're doing the same thing that is done
>>> with the *_unconfined() interfaces.  We mainly do that to optimize size
>>> since unconfined brings in so many rules.
>>
>> OK, I'll replace current interfaces by the following style's one.
>>
>> interface(`sepostgresql_unconfined',`
>>         gen_require(`
>>                 attribute sepostgresql_unconfined_type;
>>         ')
>>         typeattribute $1 sepostgresql_unconfined_type;
>> ')
>>
>>> I also see references to types and attributes that belong do the module.
>>
>> Is it unlabel_t and system_r?
>> Where is the best place to associate them with my local policy?
>>
>>  > Also the auditing
>>> tunables seem unneeded; they seem to be more for debugging use.  I think
>>> I can get a better handle on the policy with these revisions.
>>
>> Hmm...
>> The reason why I added these tunables is that database folks told me
>> that collecting logs in column/tuple level is an attractive feature,
>> because native DBMS cannot provide fine-grained access control and
>> cannot collect logs in these level.
>> Thus, I believe the feature to turn on/off auditing readily should
>> be remained.
>>
>> Thanks,
> 
> 


-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[Christopher J. PeBenito]

On Wed, 2008-02-27 at 17:00 +0900, Kohei KaiGai wrote:
> The attached patch provides security policies related to
> SE-PostgreSQL.
> 
> The followings are updates/unchanges from the previous version
> submitted
> at two weeks ago. These updates replaced most of the part in the
> previous
> one.
> 
> - The targets of this patch are moved to services/postgresql.*,
>    although the previous one added new entries.

Interfaces must be renamed from sepgsql_* to postgresql_*

> - Any interface got slim. They contains only one TYPEATTRIBUTE
>    statement, and postgresql.te allows most of permissions to
>    the associated attributes.

I'm not convinced that any of these are necessary except for the one for
unconfined access.

> * Tunables to turn on/off audit are remained now, because database
>    folks told me fine-grained logs are worthwhile feature.

I'm still not very compelled by this, as I doubt people who do want more
auditing will want to to enable it so coarsely.



> +interface(`sepgsql_unconfined_domain',`

This should be postgresql_unconfined().


> +interface(`sepgsql_client_domain',`
> +       gen_require(`
> +               attribute sepgsql_client_type;
> +       ')
> +       typeattribute $1 sepgsql_client_type;
> +')

The two existing connect interfaces (tcp and stream) should probably
call this interface.  If its regular postgresql, it won't hurt anything.

> +typeattribute unlabeled_t      sepgsql_database_type;
> +typeattribute unlabeled_t      sepgsql_table_type;
> +typeattribute unlabeled_t      sepgsql_procedure_type;
> +typeattribute unlabeled_t      sepgsql_blob_type;

Usage of unlabeled_t here is not permitted.

> +########################################
> +#
> +# SE-PostgreSQL Server Local policy
> +#                    (sepgsql_server_type)
> +
> +sepgsql_server_domain(postgresql_t)

I don't see any other usage of this other than on postgresql_t, why is
it needed?

> +########################################
> +#
> +# SE-PostgreSQL Administrative domain local policy
> +#                    (sepgsql_unconfined_type)
> +
> +tunable_policy(`sepgsql_enable_unconfined',`
> +       allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
> +       allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
> +       allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
> +       allow sepgsql_unconfined_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure *;
> +       allow sepgsql_unconfined_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom relabelto };
> +       allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
> +       allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
> +
> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
> +',`
> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
> +')

Why is this tunable?  Why is there a different type_transition behavior?

> +# type transitions for rest of domains
> +type_transition domain domain : db_database sepgsql_db_t;
> +type_transition { domain - sepgsql_server_type } sepgsql_database_type : db_table sepgsql_table_t;
> +type_transition { domain - sepgsql_server_type - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
> +type_transition domain sepgsql_database_type : db_blob sepgsql_blob_t;
[...]
> +tunable_policy(`sepgsql_enable_auditallow',`
> +       auditallow domain sepgsql_database_type  : db_database all_db_database_perms;
> +       auditallow domain sepgsql_table_type     : db_table all_db_table_perms;
> +       auditallow domain sepgsql_table_type     : db_column all_db_column_perms;
> +       auditallow domain sepgsql_procedure_type : db_procedure all_db_procedure_perms;
> +       auditallow domain sepgsql_blob_type      : db_blob all_db_blob_perms;
> +       auditallow domain sepgsql_server_type    : db_blob { import export };
> +       auditallow domain sepgsql_module_type    : db_database { install_module };
> +')
> +tunable_policy(`sepgsql_enable_audittuple && sepgsql_enable_auditallow',`
> +       auditallow domain sepgsql_table_type     : db_tuple all_db_tuple_perms;
> +')
> +tunable_policy(`! sepgsql_enable_auditdeny',`
> +       dontaudit domain sepgsql_database_type   : db_database all_db_database_perms;
> +       dontaudit domain sepgsql_table_type      : db_table all_db_table_perms;
> +       dontaudit domain sepgsql_table_type      : db_column all_db_column_perms;
> +       dontaudit domain sepgsql_procedure_type  : db_procedure all_db_procedure_perms;
> +       dontaudit domain sepgsql_blob_type       : db_blob all_db_blob_perms;
> +       dontaudit domain sepgsql_server_type     : db_blob { import export };
> +       dontaudit domain sepgsql_module_type     : db_database { install_module };
> +')
> +tunable_policy(`! sepgsql_enable_audittuple || ! sepgsql_enable_auditdeny',`
> +       dontaudit domain sepgsql_table_type      : db_tuple all_db_tuple_perms;
> +')

Usage of domain here is not permitted.  Why does everything
type_transition to sepgsql_table_t, etc?  It makes it impossible to
type_transition to something else.  With the current config, everything
is the same type for each table, blob, etc.  Thats fine for the base
config, but when people add types for their tables, they won't be able
to type_transition their tables to their type.  It seems like several
templates need to be created to handle this.  E.g. we want to have
support for module foo to have a foo_table_t and foo_db_procedure_t.
The same can be said for columns and other relevant objects.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[Joshua Brindle]

Christopher J. PeBenito wrote:
> On Wed, 2008-02-27 at 17:00 +0900, Kohei KaiGai wrote:
>   
>> The attached patch provides security policies related to
>> SE-PostgreSQL.
>>
>> The followings are updates/unchanges from the previous version
>> submitted
>> at two weeks ago. These updates replaced most of the part in the
>> previous
>> one.
>>
>> - The targets of this patch are moved to services/postgresql.*,
>>    although the previous one added new entries.
>>     
>
>   
>> +tunable_policy(`sepgsql_enable_auditallow',`
>> +       auditallow domain sepgsql_database_type  : db_database all_db_database_perms;
>> +       auditallow domain sepgsql_table_type     : db_table all_db_table_perms;
>> +       auditallow domain sepgsql_table_type     : db_column all_db_column_perms;
>> +       auditallow domain sepgsql_procedure_type : db_procedure all_db_procedure_perms;
>> +       auditallow domain sepgsql_blob_type      : db_blob all_db_blob_perms;
>> +       auditallow domain sepgsql_server_type    : db_blob { import export };
>> +       auditallow domain sepgsql_module_type    : db_database { install_module };
>> +')
>>     


A couple questions about the install_module and load_module permissions. 
First they seem here to be refering to sepgsql_module_type as the object 
which currently are lib_t and textrel_shlib_t, file types. So the object 
class of db_database seems to be inaccurate.

Also, after looking at the code I don't see why install_module and 
load_module need to be different permissions, granted they are a 
privileged operation but why not collapse them into a single access vector?

Also, why are blobs a separate object class? How is it a privileged 
operation to use blobs in a table? As far as reading and writing them 
they should be treated like any other column, shouldn't they?

And one more question. I see you have a type transition for 
sepgsql_proc_t but I never saw sepgsql_proc_t as the subject of any 
rules, which I don't understand. The hooks appear to always use the 
client_sid as the subject but for stored procedures to be useful they 
may need to access data that the client wouldn't be able to, or did I 
miss something?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[Kohei KaiGai]

Thanks for your reviewing.

Christopher J. PeBenito wrote:
> On Wed, 2008-02-27 at 17:00 +0900, Kohei KaiGai wrote:
>> The attached patch provides security policies related to
>> SE-PostgreSQL.
>>
>> The followings are updates/unchanges from the previous version
>> submitted
>> at two weeks ago. These updates replaced most of the part in the
>> previous
>> one.
>>
>> - The targets of this patch are moved to services/postgresql.*,
>>    although the previous one added new entries.
> 
> Interfaces must be renamed from sepgsql_* to postgresql_*

OK,

>> - Any interface got slim. They contains only one TYPEATTRIBUTE
>>    statement, and postgresql.te allows most of permissions to
>>    the associated attributes.
> 
> I'm not convinced that any of these are necessary except for the one for
> unconfined access.

sepgsql_clinet_type intend to define a set of all client domains.
It is necessary to describe type_transtion rules for db_procedure.
When a new function is declared, it is labeled as sepgsql_user_proc_t
except for unconfined domain.

However, applying template can make it unnecessary, as follows:
  type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_$1_proc_t;

This matter came from all users shares one sepgsql_proc_t.

>> * Tunables to turn on/off audit are remained now, because database
>>    folks told me fine-grained logs are worthwhile feature.
> 
> I'm still not very compelled by this, as I doubt people who do want more
> auditing will want to to enable it so coarsely.

Hmm...
OK, I'll remove these tunable, and add a documentation to collect
fine-grained database access logs.

>> +interface(`sepgsql_unconfined_domain',`
> 
> This should be postgresql_unconfined().

OK,

>> +interface(`sepgsql_client_domain',`
>> +       gen_require(`
>> +               attribute sepgsql_client_type;
>> +       ')
>> +       typeattribute $1 sepgsql_client_type;
>> +')
> 
> The two existing connect interfaces (tcp and stream) should probably
> call this interface.  If its regular postgresql, it won't hurt anything.

OK,

>> +typeattribute unlabeled_t      sepgsql_database_type;
>> +typeattribute unlabeled_t      sepgsql_table_type;
>> +typeattribute unlabeled_t      sepgsql_procedure_type;
>> +typeattribute unlabeled_t      sepgsql_blob_type;
> 
> Usage of unlabeled_t here is not permitted.

Is it appropriate manner to deploy optional_policy at kernel/kernel.te?

>> +########################################
>> +#
>> +# SE-PostgreSQL Server Local policy
>> +#                    (sepgsql_server_type)
>> +
>> +sepgsql_server_domain(postgresql_t)
> 
> I don't see any other usage of this other than on postgresql_t, why is
> it needed?

Indeed, it is 1:1 mapping and unneccesary.
I'll replace it next.

>> +########################################
>> +#
>> +# SE-PostgreSQL Administrative domain local policy
>> +#                    (sepgsql_unconfined_type)
>> +
>> +tunable_policy(`sepgsql_enable_unconfined',`
>> +       allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
>> +       allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
>> +       allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
>> +       allow sepgsql_unconfined_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure *;
>> +       allow sepgsql_unconfined_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom relabelto };
>> +       allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
>> +       allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
>> +
>> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
>> +',`
>> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
>> +')
> 
> Why is this tunable?  Why is there a different type_transition behavior?

I intend that users can turn off this tunable during its operation phase
after initial database setting up, to prevent applying unconfined accesses.

When sepgsql_enable_unconfined is disabled, sepgsql_unconfined_type works
as if they are sepgsql_client_type, because sepgsql_unconfined_domain() interface
associates a domain with sepgsql_(unconfined|client)_type.
Thus, this type_transition rule is necessary.

The purpose of sepgsql_user_proc_t is to prevent that administrative domain
invoke user defined functions with unconfined permissions.
Administrative domain have to confirm the function and relabel it to invoke.

>> +# type transitions for rest of domains
>> +type_transition domain domain : db_database sepgsql_db_t;
>> +type_transition { domain - sepgsql_server_type } sepgsql_database_type : db_table sepgsql_table_t;
>> +type_transition { domain - sepgsql_server_type - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
>> +type_transition domain sepgsql_database_type : db_blob sepgsql_blob_t;
> [...]
>> +tunable_policy(`sepgsql_enable_auditallow',`
>> +       auditallow domain sepgsql_database_type  : db_database all_db_database_perms;
>> +       auditallow domain sepgsql_table_type     : db_table all_db_table_perms;
>> +       auditallow domain sepgsql_table_type     : db_column all_db_column_perms;
>> +       auditallow domain sepgsql_procedure_type : db_procedure all_db_procedure_perms;
>> +       auditallow domain sepgsql_blob_type      : db_blob all_db_blob_perms;
>> +       auditallow domain sepgsql_server_type    : db_blob { import export };
>> +       auditallow domain sepgsql_module_type    : db_database { install_module };
>> +')
>> +tunable_policy(`sepgsql_enable_audittuple && sepgsql_enable_auditallow',`
>> +       auditallow domain sepgsql_table_type     : db_tuple all_db_tuple_perms;
>> +')
>> +tunable_policy(`! sepgsql_enable_auditdeny',`
>> +       dontaudit domain sepgsql_database_type   : db_database all_db_database_perms;
>> +       dontaudit domain sepgsql_table_type      : db_table all_db_table_perms;
>> +       dontaudit domain sepgsql_table_type      : db_column all_db_column_perms;
>> +       dontaudit domain sepgsql_procedure_type  : db_procedure all_db_procedure_perms;
>> +       dontaudit domain sepgsql_blob_type       : db_blob all_db_blob_perms;
>> +       dontaudit domain sepgsql_server_type     : db_blob { import export };
>> +       dontaudit domain sepgsql_module_type     : db_database { install_module };
>> +')
>> +tunable_policy(`! sepgsql_enable_audittuple || ! sepgsql_enable_auditdeny',`
>> +       dontaudit domain sepgsql_table_type      : db_tuple all_db_tuple_perms;
>> +')
> 
> Usage of domain here is not permitted.  Why does everything
> type_transition to sepgsql_table_t, etc?  It makes it impossible to
> type_transition to something else.  With the current config, everything
> is the same type for each table, blob, etc.  Thats fine for the base
> config, but when people add types for their tables, they won't be able
> to type_transition their tables to their type.  It seems like several
> templates need to be created to handle this.  E.g. we want to have
> support for module foo to have a foo_table_t and foo_db_procedure_t.
> The same can be said for columns and other relevant objects.

OK, I understood why you want to avoid to apply `domain' for type_transition.
Indeed, this widespread approach lacks for policy extendability.

I think it is a good idea to provide a template to define users own types.
I'll merge this idea in the next.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[Kohei KaiGai]

Joshua Brindle wrote:
> Christopher J. PeBenito wrote:
>> On Wed, 2008-02-27 at 17:00 +0900, Kohei KaiGai wrote:
>>  
>>> The attached patch provides security policies related to
>>> SE-PostgreSQL.
>>>
>>> The followings are updates/unchanges from the previous version
>>> submitted
>>> at two weeks ago. These updates replaced most of the part in the
>>> previous
>>> one.
>>>
>>> - The targets of this patch are moved to services/postgresql.*,
>>>    although the previous one added new entries.
>>>     
>>
>>  
>>> +tunable_policy(`sepgsql_enable_auditallow',`
>>> +       auditallow domain sepgsql_database_type  : db_database 
>>> all_db_database_perms;
>>> +       auditallow domain sepgsql_table_type     : db_table 
>>> all_db_table_perms;
>>> +       auditallow domain sepgsql_table_type     : db_column 
>>> all_db_column_perms;
>>> +       auditallow domain sepgsql_procedure_type : db_procedure 
>>> all_db_procedure_perms;
>>> +       auditallow domain sepgsql_blob_type      : db_blob 
>>> all_db_blob_perms;
>>> +       auditallow domain sepgsql_server_type    : db_blob { import 
>>> export };
>>> +       auditallow domain sepgsql_module_type    : db_database { 
>>> install_module };
>>> +')
>>>     
> 
> 
> A couple questions about the install_module and load_module permissions. 
> First they seem here to be refering to sepgsql_module_type as the object 
> which currently are lib_t and textrel_shlib_t, file types. So the object 
> class of db_database seems to be inaccurate.

Is it appropriate to define a new permission in file class to associate
a database with a library file?

> Also, after looking at the code I don't see why install_module and 
> load_module need to be different permissions, granted they are a 
> privileged operation but why not collapse them into a single access vector?

load_module is a permission to associate a database and a loadable module,
like filesystem:associate permission.

When we tries to load a shared library module, the following permissins
are required.

(Client)   (Shared Library) : db_database install_module;
(Client)   (Database)       : db_database install_module;
(Database) (Shared Library) : db_database load_module;

`install_module' defines a relationship between a client and database/library.
`load_module' defines a relationship between a database and library.

> Also, why are blobs a separate object class? How is it a privileged 
> operation to use blobs in a table? As far as reading and writing them 
> they should be treated like any other column, shouldn't they?

In MySQL, blob is one of the data types, and it can be stored in a table.
However, blob is a set of tuples stored in pg_largeobject system catalog
in PostgreSQL. To separate large binary object into small blocks improves
ramdam access performance, but dameges to consistency in access control.
It is the reason why SE-PostgreSQL need special care for blobs.

http://www.postgresql.org/docs/8.3/static/catalog-pg-largeobject.html

BTW, current PostgreSQL does not have any access controls mechanism
in large object. :(

> And one more question. I see you have a type transition for 
> sepgsql_proc_t but I never saw sepgsql_proc_t as the subject of any 
> rules, which I don't understand. The hooks appear to always use the 
> client_sid as the subject but for stored procedures to be useful they 
> may need to access data that the client wouldn't be able to, or did I 
> miss something?

When a sepgsql_client_domain invokes sepgsql_trusted_proc_t, the client_sid
is transted into sepgsql_trusted_domain_t.
However, domain transition is kept in invokations for another procedure type.
sepgsql_proc_t is always a object type, as postgresql_exex_t is always a file
type, not a domain.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[Kohei KaiGai]

[-- Attachment #1: Type: text/plain, Size: 2855 bytes --]

The attached patch provides revised SE-PostgreSQL security policy.

I changed the following points:
- Interfaces are renamed from sepgsql_* to postgresql_*
- Tunables to turn on/off autit logs are removed.
- The unlabeled_t is associated with database object attribute
  via interfaces at kernel/kernel.te.
- sepgsql_(database|table|procedure|blob)_object interfaces
  are added for unlabeled_t and end-user extension.
- sepgsql_server_type is removed, postgresql_t is used instead.
- Widespread type_transition rules are removed.
- Add postgresql_userdom_template(userdom_prefix).

However,
>> The two existing connect interfaces (tcp and stream) should probably
>> call this interface.  If its regular postgresql, it won't hurt anything.
>
> OK,

I didn't apply this update yet, because it is invoked with an attribute
in Fedora default policy.
I tested this patch with applying it on selinux-policy-3.3.1-11.fc9, and
it works fine.


I think detailed explanations are necessary for postgresql_userdom_template()
and client attributes.

postgresql_userdom_template() requires a userdomain prefix, like `staff'.
It declares the following types and allows (USERDOM)_t to access with
few limitation.
 - sepgsql_FOO_table_t
 - sepgsql_FOO_proc_t
 - sepgsql_FOO_blob_t
(USERDOM)_t also got type_transition rules to create database objects
with above types. But these rules will be invalidated when (USERDOM)_t
belongs sepgsql_unconfined_type and sepgsql_enable_unconfined is turned on.


There are three attribute for domains.
 * sepgsql_client_type
   Any domain which want to connect SE-PostgreSQL is associated with
   this attribute. Some of restricted accesses are allowed to this
   attribute, like read-only on sepgsql_ro_table_t.

 * sepgsql_userdom_type
   Any domain which uses postgresql_userdom_template() is associated
   with this attribute.
   They are allowed to access user domain local types (like sepgsql_FOO_t)
   with few limitation (relabeling are not allowed).
   They also belong to sepgsql_client_type, so restricted accesses are
   also allowed on common types.

 * sepgsql_unconfined_type
   Domains belong to this attribute can access widespread database object
   with no limitation, when sepgsql_enable_unconfined tunable is turned on.
   If this tunable is disabled, this attribute does not give anything.

In other words, sepgsql_client_type is a set of all client domains.
It also contains sepgsq_userdom_type and sepgsql_unconfined_type,
but sepgsq_userdom_type and sepgsql_unconfined_type are not mutually
exclusive set. The unconfined_t belongs both attributes, for example.

The sepgsql_unconfined_type cannot invoke sepgsql_(USERDOM)_proc_t,
as the previous policy prevent it to execute sepgsql_user_proc_t.

Please review it again.
Thanks.
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: refpolicy-sepostgresql.2.patch --]
[-- Type: text/x-patch, Size: 19522 bytes --]

Index: refpolicy-sepgsql/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-sepgsql/policy/modules/kernel/kernel.te	(revision 2632)
+++ refpolicy-sepgsql/policy/modules/kernel/kernel.te	(working copy)
@@ -358,6 +358,17 @@
 
 ########################################
 #
+# Unlabeled database objects
+#
+optional_policy(`
+	postgresql_database_object(unlabeled_t)
+	postgresql_table_object(unlabeled_t)
+	postgresql_procedure_object(unlabeled_t)
+	postgresql_blob_object(unlabeled_t)
+')
+
+########################################
+#
 # Rules for unconfined acccess to this module
 #
 
Index: refpolicy-sepgsql/policy/modules/services/postgresql.if
===================================================================
--- refpolicy-sepgsql/policy/modules/services/postgresql.if	(revision 2632)
+++ refpolicy-sepgsql/policy/modules/services/postgresql.if	(working copy)
@@ -120,3 +120,202 @@
         # Some versions of postgresql put the sock file in /tmp
 	allow $1 postgresql_tmp_t:sock_file write;
 ')
+
+#######################################
+## <summary>
+##      The userdomain template for the SE-PostgreSQL.
+## </summary>
+## <desc>
+##      This template creates a delivered types which are used
+##	for given userdomains.
+## </desc>
+## <param name="userdomain_prefix">
+##      <summary>
+##      The prefix of the user domain (e.g., user
+##      is the prefix for user_t).
+##      </summary>
+## </param>
+#
+template(`postgresql_userdom_template',`
+	gen_require(`
+		class db_database all_db_database_perms;
+		class db_table all_db_table_perms;
+		class db_procedure all_db_procedure_perms;
+		class db_column all_db_column_perms;
+		class db_tuple all_db_tuple_perms;
+		class db_blob all_db_blob_perms;
+
+		attribute sepgsql_client_type;
+		attribute sepgsql_unconfined_type;
+		attribute sepgsql_userdom_type;
+
+		attribute sepgsql_database_type;
+		attribute sepgsql_table_type;
+		attribute sepgsql_procedure_type;
+		attribute sepgsql_blob_type;
+
+		type sepgsql_trusted_domain_t;
+
+		bool sepgsql_enable_unconfined;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+	typeattribute $1_t sepgsql_client_type;
+	typeattribute $1_t sepgsql_userdom_type;
+
+	type sepgsql_$1_table_t, sepgsql_table_type;
+	type sepgsql_$1_proc_t,  sepgsql_procedure_type;
+	type sepgsql_$1_blob_t, sepgsql_blob_type;
+
+	##############################
+	#
+	# Client local policy
+	#
+
+	tunable_policy(`sepgsql_enable_unconfined',`
+		type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_table sepgsql_$1_table_t;
+		type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_$1_proc_t;
+		type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_blob sepgsql_$1_blob_t;
+	',`
+		type_transition $1_t sepgsql_database_type : db_table sepgsql_$1_table_t;
+		type_transition $1_t sepgsql_database_type : db_procedure sepgsql_$1_proc_t;
+		type_transition $1_t sepgsql_database_type : db_blob sepgsql_$1_blob_t;
+	')
+	allow $1_t sepgsql_$1_table_t : db_table { create drop getattr setattr use select update insert delete };
+	allow $1_t sepgsql_$1_table_t : db_column { create drop getattr setattr use select update insert };
+	allow $1_t sepgsql_$1_table_t : db_tuple { use select update insert delete };
+
+	allow $1_t sepgsql_$1_proc_t : db_procedure { create drop getattr setattr execute };
+
+	allow $1_t sepgsql_$1_blob_t : db_blob { create drop getattr setattr read write };
+
+	# Trusted Procedure
+	role $1_r types sepgsql_trusted_domain_t;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain unconfined accesses to any database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`postgresql_unconfined',`
+	gen_require(`
+		attribute sepgsql_unconfined_type;
+		attribute sepgsql_client_type;
+	')
+	typeattribute $1 sepgsql_unconfined_type;
+	typeattribute $1 sepgsql_client_type;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain unprivileged accesses to unifined database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`postgresql_client',`
+	gen_require(`
+		attribute sepgsql_client_type;
+	')
+	typeattribute $1 sepgsql_client_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL database object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_database_object',`
+	gen_require(`
+		attribute sepgsql_database_type;
+	')
+	typeattribute $1 sepgsql_database_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL table/column/tuple object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a table/column/tuple object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_table_object',`
+	gen_require(`
+		attribute sepgsql_table_type;
+	')
+	typeattribute $1 sepgsql_table_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL procedure object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_procedure_object',`
+	gen_require(`
+		attribute sepgsql_procedure_type;
+	')
+	typeattribute $1 sepgsql_procedure_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL binary large object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database binary large object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_blob_object',`
+	gen_require(`
+		attribute sepgsql_blob_type;
+	')
+	typeattribute $1 sepgsql_blob_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL loadable shared library module
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_loadable_module',`
+	gen_require(`
+		attribute sepgsql_module_type;
+	')
+	typeattribute $1 sepgsql_module_type;
+')
+
Index: refpolicy-sepgsql/policy/modules/services/apache.te
===================================================================
--- refpolicy-sepgsql/policy/modules/services/apache.te	(revision 2632)
+++ refpolicy-sepgsql/policy/modules/services/apache.te	(working copy)
@@ -479,6 +479,8 @@
 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
 	')
+
+	postgresql_client(httpd_t)
 ')
 
 optional_policy(`
Index: refpolicy-sepgsql/policy/modules/services/apache.if
===================================================================
--- refpolicy-sepgsql/policy/modules/services/apache.if	(revision 2632)
+++ refpolicy-sepgsql/policy/modules/services/apache.if	(working copy)
@@ -226,6 +226,10 @@
 	')
 
 	optional_policy(`
+		postgresql_client(httpd_$1_script_t)
+	')
+
+	optional_policy(`
 		nscd_socket_use(httpd_$1_script_t)
 	')
 ')
Index: refpolicy-sepgsql/policy/modules/services/postgresql.te
===================================================================
--- refpolicy-sepgsql/policy/modules/services/postgresql.te	(revision 2632)
+++ refpolicy-sepgsql/policy/modules/services/postgresql.te	(working copy)
@@ -166,3 +166,188 @@
 optional_policy(`
 	udev_read_db(postgresql_t)
 ')
+
+#################################
+#
+# SE-PostgreSQL Boolean declarations
+#
+
+## <desc>
+## <p>
+## Allow to enable unconfined domains
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_unconfined, true)
+
+## <desc>
+## <p>
+## Allow unprived users to execute DDL statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_users_ddl, true)
+
+#################################
+#
+# SE-PostgreSQL Type/Attribute declarations
+#
+
+# database subjects
+attribute sepgsql_client_type;
+attribute sepgsql_unconfined_type;
+attribute sepgsql_userdom_type;
+
+# database objects attribute
+attribute sepgsql_database_type;
+attribute sepgsql_table_type;
+attribute sepgsql_procedure_type;
+attribute sepgsql_blob_type;
+attribute sepgsql_module_type;
+
+# database trusted domain
+type sepgsql_trusted_domain_t;
+
+# database object types
+type sepgsql_db_t;
+postgresql_database_object(sepgsql_db_t)
+
+type sepgsql_table_t;
+postgresql_table_object(sepgsql_table_t)
+type sepgsql_sysobj_t;
+postgresql_table_object(sepgsql_sysobj_t)
+type sepgsql_secret_table_t;
+postgresql_table_object(sepgsql_secret_table_t)
+type sepgsql_ro_table_t;
+postgresql_table_object(sepgsql_ro_table_t)
+type sepgsql_fixed_table_t;
+postgresql_table_object(sepgsql_fixed_table_t)
+
+type sepgsql_proc_t;
+postgresql_procedure_object(sepgsql_proc_t)
+type sepgsql_trusted_proc_t;
+postgresql_procedure_object(sepgsql_trusted_proc_t)
+
+type sepgsql_blob_t;
+postgresql_blob_object(sepgsql_blob_t)
+type sepgsql_ro_blob_t;
+postgresql_blob_object(sepgsql_ro_blob_t)
+type sepgsql_secret_blob_t;
+postgresql_blob_object(sepgsql_secret_blob_t)
+
+########################################
+#
+# SE-PostgreSQL Server Local policy
+#                    (postgresql_t)
+
+allow postgresql_t self : netlink_selinux_socket create_socket_perms;
+selinux_get_fs_mount(postgresql_t)
+selinux_get_enforce_mode(postgresql_t)
+selinux_validate_context(postgresql_t)
+selinux_compute_access_vector(postgresql_t)
+selinux_compute_create_context(postgresql_t)
+selinux_compute_relabel_context(postgresql_t)
+
+allow postgresql_t sepgsql_database_type : db_database *;
+allow postgresql_t sepgsql_module_type : db_database { install_module };
+allow postgresql_t sepgsql_table_type : { db_table db_column db_tuple } *;
+allow postgresql_t sepgsql_procedure_type : db_procedure *;
+allow postgresql_t sepgsql_blob_type : db_blob *;
+
+# server specific type transitions
+type_transition postgresql_t postgresql_t : db_database sepgsql_db_t;
+type_transition postgresql_t sepgsql_database_type : db_table sepgsql_sysobj_t;
+type_transition postgresql_t sepgsql_database_type : db_procedure sepgsql_proc_t;
+type_transition postgresql_t sepgsql_database_type : db_blob sepgsql_blob_t;
+
+########################################
+#
+# SE-PostgreSQL Administrative domain local policy
+#                    (sepgsql_unconfined_type)
+
+tunable_policy(`sepgsql_enable_unconfined',`
+	allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
+	allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
+	allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
+	allow sepgsql_unconfined_type sepgsql_proc_t : db_procedure *;
+	allow sepgsql_unconfined_type { sepgsql_procedure_type - sepgsql_proc_t } : db_procedure { create drop getattr setattr relabelfrom relabelto };
+	allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
+	allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
+
+	type_transition sepgsql_unconfined_type sepgsql_database_type : db_table sepgsql_table_t;
+	type_transition sepgsql_unconfined_type sepgsql_database_type : db_procedure sepgsql_proc_t;
+	type_transition sepgsql_unconfined_type sepgsql_database_type : db_blob sepgsql_blob_t;
+')
+
+########################################
+#
+# SE-PostgreSQL unpriv-Client domain local policy
+#                    (sepgsql_client_type)
+
+allow sepgsql_client_type sepgsql_db_t : db_database { getattr access get_param set_param};
+
+allow sepgsql_client_type sepgsql_table_t : db_table { getattr use select update insert delete };
+allow sepgsql_client_type sepgsql_table_t : db_column { getattr use select update insert };
+allow sepgsql_client_type sepgsql_table_t : db_tuple { use select update insert delete };
+
+tunable_policy(`sepgsql_enable_users_ddl',`
+	allow sepgsql_client_type sepgsql_table_t : db_table { create drop setattr };
+	allow sepgsql_client_type sepgsql_table_t : db_column { create drop setattr };
+')
+
+allow sepgsql_client_type sepgsql_sysobj_t : db_table { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t : db_column { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t : db_tuple { use select update insert delete };
+
+allow sepgsql_client_type sepgsql_secret_table_t : db_table { getattr };
+allow sepgsql_client_type sepgsql_secret_table_t : db_column { getattr };
+
+allow sepgsql_client_type sepgsql_ro_table_t : db_table { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t : db_column { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t : db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_fixed_table_t : db_table { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t : db_column { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t : db_tuple { use select insert };
+
+allow sepgsql_client_type sepgsql_proc_t : db_procedure { getattr execute };
+allow sepgsql_client_type sepgsql_trusted_proc_t : db_procedure { getattr execute entrypoint };
+
+allow sepgsql_client_type sepgsql_blob_t : db_blob { create drop getattr setattr read write };
+allow sepgsql_client_type sepgsql_ro_blob_t : db_blob { getattr read };
+allow sepgsql_client_type sepgsql_secret_blob_t : db_blob { getattr };
+
+# call trusted procedure
+type_transition sepgsql_client_type sepgsql_trusted_proc_t : process sepgsql_trusted_domain_t;
+allow sepgsql_client_type sepgsql_trusted_domain_t : process { transition };
+
+# type transitions for rest of domains
+type_transition sepgsql_client_type postgresql_t : db_database sepgsql_db_t;
+tunable_policy(`sepgsql_enable_unconfined',`
+	type_transition { sepgsql_client_type - sepgsql_unconfined_type - sepgsql_userdom_type } sepgsql_database_type : db_table sepgsql_table_t;
+	type_transition { sepgsql_client_type - sepgsql_unconfined_type - sepgsql_userdom_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
+	type_transition { sepgsql_client_type - sepgsql_unconfined_type - sepgsql_userdom_type } sepgsql_database_type : db_blob sepgsql_blob_t;
+',`
+	type_transition { sepgsql_client_type - sepgsql_userdom_type } sepgsql_database_type : db_table sepgsql_table_t;
+	type_transition { sepgsql_client_type - sepgsql_userdom_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
+	type_transition { sepgsql_client_type - sepgsql_userdom_type } sepgsql_database_type : db_blob sepgsql_blob_t;
+')
+
+########################################
+#
+# SE-PostgreSQL Misc policies
+#
+
+# Trusted Procedure Domain
+domain_type(sepgsql_trusted_domain_t)
+postgresql_unconfined(sepgsql_trusted_domain_t)
+role system_r types sepgsql_trusted_domain_t;
+
+# The following permissions are allowed, even if sepgsql_enable_unconfined is disabled.
+allow sepgsql_trusted_domain_t sepgsql_database_type : db_database { getattr setattr access get_param set_param};
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_table { getattr use select update insert delete lock };
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_column { getattr use select update insert };
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_tuple { use select update insert delete };
+
+allow sepgsql_trusted_domain_t sepgsql_blob_type : db_blob { getattr setattr read write };
+
+# Database/Loadable module
+allow sepgsql_database_type sepgsql_module_type : db_database { load_module };
Index: refpolicy-sepgsql/policy/modules/services/postgresql.fc
===================================================================
--- refpolicy-sepgsql/policy/modules/services/postgresql.fc	(revision 2632)
+++ refpolicy-sepgsql/policy/modules/services/postgresql.fc	(working copy)
@@ -6,8 +6,9 @@
 #
 # /usr
 #
-/usr/bin/initdb			--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/initdb(\.sepgsql)?	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/(se)?postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/sepg_ctl		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /usr/lib/pgsql/test/regres(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
 /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
@@ -30,8 +31,12 @@
 /var/lib/pgsql/data(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
 /var/lib/pgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)
 
+/var/lib/sepgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/sepgsql/pgstartup\.log	--	gen_context(system_u:object_r:postgresql_log_t,s0)
+
 /var/log/postgres\.log.* 	--	gen_context(system_u:object_r:postgresql_log_t,s0)
 /var/log/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/sepostgresql\.log.*	--	gen_context(system_u:object_r:postgresql_log_t,s0)
 
 ifdef(`distro_redhat', `
 /var/log/rhdb/rhdb(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
Index: refpolicy-sepgsql/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-sepgsql/policy/modules/system/userdomain.if	(revision 2632)
+++ refpolicy-sepgsql/policy/modules/system/userdomain.if	(working copy)
@@ -1201,6 +1201,10 @@
 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')
 
+	optional_policy(`
+		postgresql_userdom_template($1)
+	')
+
 	# Run pppd in pppd_t by default for user
 	optional_policy(`
 		ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@@ -1371,6 +1375,10 @@
 	')
 
 	optional_policy(`
+		postgresql_unconfined($1_t)
+	')
+
+	optional_policy(`
 		userhelper_exec($1_t)
 	')
 ')
Index: refpolicy-sepgsql/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-sepgsql/policy/modules/system/unconfined.te	(revision 2632)
+++ refpolicy-sepgsql/policy/modules/system/unconfined.te	(working copy)
@@ -189,6 +189,11 @@
 ')
 
 optional_policy(`
+	postgresql_userdom_template(unconfined)
+	postgresql_unconfined(unconfined_t)
+')
+
+optional_policy(`
 	tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 
Index: refpolicy-sepgsql/policy/modules/system/libraries.te
===================================================================
--- refpolicy-sepgsql/policy/modules/system/libraries.te	(revision 2632)
+++ refpolicy-sepgsql/policy/modules/system/libraries.te	(working copy)
@@ -109,3 +109,8 @@
 	# blow up.
 	rpm_manage_script_tmp_files(ldconfig_t)
 ')
+
+optional_policy(`
+	postgresql_loadable_module(lib_t)
+	postgresql_loadable_module(textrel_shlib_t)
+')
Index: refpolicy-sepgsql/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-sepgsql/policy/modules/system/unconfined.if	(revision 2632)
+++ refpolicy-sepgsql/policy/modules/system/unconfined.if	(working copy)
@@ -88,6 +88,10 @@
 	')
 
 	optional_policy(`
+		postgresql_unconfined($1)
+	')
+
+	optional_policy(`
 		seutil_create_bin_policy($1)
 		seutil_relabelto_bin_policy($1)
 	')

Re: [PATCH] SE-PostgreSQL Security Policy

[Joshua Brindle]

Kohei KaiGai wrote:
> Joshua Brindle wrote:
>> Christopher J. PeBenito wrote:
>>> On Wed, 2008-02-27 at 17:00 +0900, Kohei KaiGai wrote:
>>>  
>>>> The attached patch provides security policies related to
>>>> SE-PostgreSQL.
>>>>
>>>> The followings are updates/unchanges from the previous version
>>>> submitted
>>>> at two weeks ago. These updates replaced most of the part in the
>>>> previous
>>>> one.
>>>>
>>>> - The targets of this patch are moved to services/postgresql.*,
>>>>    although the previous one added new entries.
>>>>     
>>>
>>>  
>>>> +tunable_policy(`sepgsql_enable_auditallow',`
>>>> +       auditallow domain sepgsql_database_type  : db_database 
>>>> all_db_database_perms;
>>>> +       auditallow domain sepgsql_table_type     : db_table 
>>>> all_db_table_perms;
>>>> +       auditallow domain sepgsql_table_type     : db_column 
>>>> all_db_column_perms;
>>>> +       auditallow domain sepgsql_procedure_type : db_procedure 
>>>> all_db_procedure_perms;
>>>> +       auditallow domain sepgsql_blob_type      : db_blob 
>>>> all_db_blob_perms;
>>>> +       auditallow domain sepgsql_server_type    : db_blob { import 
>>>> export };
>>>> +       auditallow domain sepgsql_module_type    : db_database { 
>>>> install_module };
>>>> +')
>>>>     
>>
>>
>> A couple questions about the install_module and load_module 
>> permissions. First they seem here to be refering to 
>> sepgsql_module_type as the object which currently are lib_t and 
>> textrel_shlib_t, file types. So the object class of db_database seems 
>> to be inaccurate.
>
> Is it appropriate to define a new permission in file class to associate
> a database with a library file?
>

Its an interesting question of how to handle this situation, not just 
now but in the future.

>> Also, after looking at the code I don't see why install_module and 
>> load_module need to be different permissions, granted they are a 
>> privileged operation but why not collapse them into a single access 
>> vector?
>
> load_module is a permission to associate a database and a loadable 
> module,
> like filesystem:associate permission.
>
> When we tries to load a shared library module, the following permissins
> are required.
>
> (Client)   (Shared Library) : db_database install_module;
> (Client)   (Database)       : db_database install_module;
> (Database) (Shared Library) : db_database load_module;
>
> `install_module' defines a relationship between a client and 
> database/library.
> `load_module' defines a relationship between a database and library.
>

I see, do you have an actual use case for load_module? I don't know that 
filesystem:associate has ever been used in a useful way, though I might 
just not know of such a use.

>> Also, why are blobs a separate object class? How is it a privileged 
>> operation to use blobs in a table? As far as reading and writing them 
>> they should be treated like any other column, shouldn't they?
>
> In MySQL, blob is one of the data types, and it can be stored in a table.
> However, blob is a set of tuples stored in pg_largeobject system catalog
> in PostgreSQL. To separate large binary object into small blocks improves
> ramdam access performance, but dameges to consistency in access control.
> It is the reason why SE-PostgreSQL need special care for blobs.
>
> http://www.postgresql.org/docs/8.3/static/catalog-pg-largeobject.html
>
> BTW, current PostgreSQL does not have any access controls mechanism
> in large object. :(
>

Hrm, I am going to have to ponder this one a little while longer then, 
I'm much more familiar with how MySQL handles blobs than PostGres.

>> And one more question. I see you have a type transition for 
>> sepgsql_proc_t but I never saw sepgsql_proc_t as the subject of any 
>> rules, which I don't understand. The hooks appear to always use the 
>> client_sid as the subject but for stored procedures to be useful they 
>> may need to access data that the client wouldn't be able to, or did I 
>> miss something?
>
> When a sepgsql_client_domain invokes sepgsql_trusted_proc_t, the 
> client_sid
> is transted into sepgsql_trusted_domain_t.
> However, domain transition is kept in invokations for another 
> procedure type.
> sepgsql_proc_t is always a object type, as postgresql_exex_t is always 
> a file
> type, not a domain.
>

What if you call multiple procedures in a single call? Are the domain 
transition lifetimes limited to while the procedure is running? Are the 
other columns queried in the same query the original caller context?

e.g., if I did:

select fname, lname, get_ssn(ssn), dob, get_cr(cr);

and there were type_transitions for get_ssn and get_cr, how are the 
transitions handled?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[Christopher J. PeBenito]

On Fri, 2008-03-07 at 10:52 +0900, Kohei KaiGai wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2008-02-27 at 17:00 +0900, Kohei KaiGai wrote:
> >> The attached patch provides security policies related to
> >> SE-PostgreSQL.
[...]
> >> +typeattribute unlabeled_t      sepgsql_database_type;
> >> +typeattribute unlabeled_t      sepgsql_table_type;
> >> +typeattribute unlabeled_t      sepgsql_procedure_type;
> >> +typeattribute unlabeled_t      sepgsql_blob_type;
> > 
> > Usage of unlabeled_t here is not permitted.
> 
> Is it appropriate manner to deploy optional_policy at kernel/kernel.te?

Why is this needed at all?

> >> +########################################
> >> +#
> >> +# SE-PostgreSQL Administrative domain local policy
> >> +#                    (sepgsql_unconfined_type)
> >> +
> >> +tunable_policy(`sepgsql_enable_unconfined',`
> >> +       allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
> >> +       allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
> >> +       allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
> >> +       allow sepgsql_unconfined_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure *;
> >> +       allow sepgsql_unconfined_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom relabelto };
> >> +       allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
> >> +       allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
> >> +
> >> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
> >> +',`
> >> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
> >> +')
> > 
> > Why is this tunable?  Why is there a different type_transition behavior?
> 
> I intend that users can turn off this tunable during its operation phase
> after initial database setting up, to prevent applying unconfined accesses.
> 
> When sepgsql_enable_unconfined is disabled, sepgsql_unconfined_type works
> as if they are sepgsql_client_type, because sepgsql_unconfined_domain() interface
> associates a domain with sepgsql_(unconfined|client)_type.

The problem is that this is inconsistent with the way other
*_unconfined() access works.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[KaiGai Kohei]

Joshua Brindle wrote:
>>> Also, after looking at the code I don't see why install_module and 
>>> load_module need to be different permissions, granted they are a 
>>> privileged operation but why not collapse them into a single access 
>>> vector?
>>
>> load_module is a permission to associate a database and a loadable 
>> module,
>> like filesystem:associate permission.
>>
>> When we tries to load a shared library module, the following permissins
>> are required.
>>
>> (Client)   (Shared Library) : db_database install_module;
>> (Client)   (Database)       : db_database install_module;
>> (Database) (Shared Library) : db_database load_module;
>>
>> `install_module' defines a relationship between a client and 
>> database/library.
>> `load_module' defines a relationship between a database and library.
>>
> 
> I see, do you have an actual use case for load_module? I don't know that 
> filesystem:associate has ever been used in a useful way, though I might 
> just not know of such a use.

The db_database:install_module is evaluated when client tries to
declare a function implemented at external shared library file.
The db_database:load_module is evaluated whenever SE-PostgreSQL
tries to load a shared library file.

In the later case, it has to be evaluated after server process
restarting. If someone replace shared library files during
SE-PostgreSQL stopping, the prior checks are invalid.

However, I doubt a bit whether SE-PostgreSQL should check the first
relationship between client and shared libraries, or not.
It may not be a work as `reference monitor for SQL'.

<snip>

>>> And one more question. I see you have a type transition for 
>>> sepgsql_proc_t but I never saw sepgsql_proc_t as the subject of any 
>>> rules, which I don't understand. The hooks appear to always use the 
>>> client_sid as the subject but for stored procedures to be useful they 
>>> may need to access data that the client wouldn't be able to, or did I 
>>> miss something?
>>
>> When a sepgsql_client_domain invokes sepgsql_trusted_proc_t, the 
>> client_sid
>> is transted into sepgsql_trusted_domain_t.
>> However, domain transition is kept in invokations for another 
>> procedure type.
>> sepgsql_proc_t is always a object type, as postgresql_exex_t is always 
>> a file
>> type, not a domain.
>>
> 
> What if you call multiple procedures in a single call? Are the domain 
> transition lifetimes limited to while the procedure is running? Are the 
> other columns queried in the same query the original caller context?

Yes, we can put several different trusted procedure in a single call.
Yes, every domain transition lifetimes are limited to while the procedure
is running. However, setting up function arguments are not included within
the lifetime of domain transition.
Yes, other columns are refered in the original client context.

> e.g., if I did:
> 
> select fname, lname, get_ssn(ssn), dob, get_cr(cr);
> 
> and there were type_transitions for get_ssn and get_cr, how are the 
> transitions handled?

If "ssn" and "cr" are hidden from the client, the above query is not
suceeded, even if get_ssn() and get_cr() is declared as trusted procedure.

The context is original one when it read "ssn" and "cr" to set up
arguments of trusted procedure, so it cannot refer these columns.
You have to give get_ssn()/get_cr() a key to refer this table,
then these functions run another query under new domain.

Please consider the following situation:
select fname, lname, get_ssn(malicious_intercept(ssn)), ...

If we can refer "ssn", it breaks everything :)

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[KaiGai Kohei]

Christopher J. PeBenito wrote:
> On Fri, 2008-03-07 at 10:52 +0900, Kohei KaiGai wrote:
>> Christopher J. PeBenito wrote:
>>> On Wed, 2008-02-27 at 17:00 +0900, Kohei KaiGai wrote:
>>>> The attached patch provides security policies related to
>>>> SE-PostgreSQL.
> [...]
>>>> +typeattribute unlabeled_t      sepgsql_database_type;
>>>> +typeattribute unlabeled_t      sepgsql_table_type;
>>>> +typeattribute unlabeled_t      sepgsql_procedure_type;
>>>> +typeattribute unlabeled_t      sepgsql_blob_type;
>>> Usage of unlabeled_t here is not permitted.
>> Is it appropriate manner to deploy optional_policy at kernel/kernel.te?
> 
> Why is this needed at all?

Database objects have persistent security context, as filesystem doing.
If their security contexts are invalidated by policy reloading etc, it is
necessary them to be relabeled.

Above rules enables administrative domains to access and relabel these objects
in this case.

>>>> +########################################
>>>> +#
>>>> +# SE-PostgreSQL Administrative domain local policy
>>>> +#                    (sepgsql_unconfined_type)
>>>> +
>>>> +tunable_policy(`sepgsql_enable_unconfined',`
>>>> +       allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
>>>> +       allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
>>>> +       allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
>>>> +       allow sepgsql_unconfined_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure *;
>>>> +       allow sepgsql_unconfined_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom relabelto };
>>>> +       allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
>>>> +       allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
>>>> +
>>>> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
>>>> +',`
>>>> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
>>>> +')
>>> Why is this tunable?  Why is there a different type_transition behavior?
>> I intend that users can turn off this tunable during its operation phase
>> after initial database setting up, to prevent applying unconfined accesses.
>>
>> When sepgsql_enable_unconfined is disabled, sepgsql_unconfined_type works
>> as if they are sepgsql_client_type, because sepgsql_unconfined_domain() interface
>> associates a domain with sepgsql_(unconfined|client)_type.
> 
> The problem is that this is inconsistent with the way other
> *_unconfined() access works.

However, this feature to disclaim widespread permissions is worthwhile in database
management system, because it is less frequently required in operation phase different
from construction phase.
So, I think the default security policy should provide a way to restrict permissions
for administrative domain.

If you concerned about its name is confusable with other *_unconfined() interfaces,
`sepgsql_enable_unconfined' can be renamed to `sepgsql_enable_administrative' and
ditto for the name of interface.

In the latest my patch, newly created tables are labeled as sepgsql_FOO_table_t
when client does not belong to administrative domains. Because unconfined_t loses
the grounds of its widespread permission when the boolean is disabled, it works as
a generic domain. It also includes behavior changing in type_transition for tables.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[Kohei KaiGai]

Chris,

>>> * Tunables to turn on/off audit are remained now, because database
>>>    folks told me fine-grained logs are worthwhile feature.
>> I'm still not very compelled by this, as I doubt people who do want more
>> auditing will want to to enable it so coarsely.
> 
> Hmm...
> OK, I'll remove these tunable, and add a documentation to collect
> fine-grained database access logs.

When we apply tuple-level access control, access denied logs of filtered
tuples are noisy, and it gives adversed effect for performance.
For example, if a table contains 1,000,000 tuples and half of them are
labeled as ":s0:c0", unclassified users will look a flood of logs
on every accesses.

At least, is it necessary to be controlable on tuples?

--------
[kaigai@saba ~]$ psql postgres -q
postgres=# SELECT * FROM drink;
 id | name  | price | alcohol
----+-------+-------+---------
  1 | water |   100 | f
  2 | coke  |   120 | f
  3 | juice |   130 | f
  4 | cofee |   180 | f
  5 | beer  |   240 | t
  6 | sake  |   320 | t
(6 rows)

postgres=#
[kaigai@saba ~]$ runcon -l s0 psql postgres -q
postgres=# SELECT * FROM drink;
NOTICE:  SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c0 tclass=db_tuple name=relid:16482,oid:16490
NOTICE:  SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c0 tclass=db_tuple name=relid:16482,oid:16491
NOTICE:  SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c0 tclass=db_tuple name=relid:16482,oid:16492
 id | name  | price | alcohol
----+-------+-------+---------
  1 | water |   100 | f
  2 | coke  |   120 | f
  3 | juice |   130 | f
(3 rows)

postgres=#
--------

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[Christopher J. PeBenito]

On Mon, 2008-03-10 at 16:52 +0900, Kohei KaiGai wrote:
> >>> * Tunables to turn on/off audit are remained now, because database
> >>>    folks told me fine-grained logs are worthwhile feature.
> >> I'm still not very compelled by this, as I doubt people who do want more
> >> auditing will want to to enable it so coarsely.
> > 
> > Hmm...
> > OK, I'll remove these tunable, and add a documentation to collect
> > fine-grained database access logs.
> 
> When we apply tuple-level access control, access denied logs of filtered
> tuples are noisy, and it gives adversed effect for performance.
> For example, if a table contains 1,000,000 tuples and half of them are
> labeled as ":s0:c0", unclassified users will look a flood of logs
> on every accesses.
> 
> At least, is it necessary to be controlable on tuples?
[...]
> [kaigai@saba ~]$ runcon -l s0 psql postgres -q
> postgres=# SELECT * FROM drink;
> NOTICE:  SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c0 tclass=db_tuple name=relid:16482,oid:16490
> NOTICE:  SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c0 tclass=db_tuple name=relid:16482,oid:16491
> NOTICE:  SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c0 tclass=db_tuple name=relid:16482,oid:16492
>  id | name  | price | alcohol
> ----+-------+-------+---------
>   1 | water |   100 | f
>   2 | coke  |   120 | f
>   3 | juice |   130 | f
> (3 rows)

I would just unconditionally dontaudit it.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[Christopher J. PeBenito]

On Sun, 2008-03-09 at 23:24 +0900, KaiGai Kohei wrote:
> Christopher J. PeBenito wrote:
> > On Fri, 2008-03-07 at 10:52 +0900, Kohei KaiGai wrote:
> >> Christopher J. PeBenito wrote:
> >>> On Wed, 2008-02-27 at 17:00 +0900, Kohei KaiGai wrote:
> >>>> The attached patch provides security policies related to
> >>>> SE-PostgreSQL.
> > [...]
> >>>> +typeattribute unlabeled_t      sepgsql_database_type;
> >>>> +typeattribute unlabeled_t      sepgsql_table_type;
> >>>> +typeattribute unlabeled_t      sepgsql_procedure_type;
> >>>> +typeattribute unlabeled_t      sepgsql_blob_type;
> >>> Usage of unlabeled_t here is not permitted.
> >> Is it appropriate manner to deploy optional_policy at kernel/kernel.te?
> > 
> > Why is this needed at all?
> 
> Database objects have persistent security context, as filesystem doing.
> If their security contexts are invalidated by policy reloading etc, it is
> necessary them to be relabeled.
> 
> Above rules enables administrative domains to access and relabel these objects
> in this case.

You need to add interfaces in the kernel module.

> >>>> +########################################
> >>>> +#
> >>>> +# SE-PostgreSQL Administrative domain local policy
> >>>> +#                    (sepgsql_unconfined_type)
> >>>> +
> >>>> +tunable_policy(`sepgsql_enable_unconfined',`
> >>>> +       allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
> >>>> +       allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
> >>>> +       allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
> >>>> +       allow sepgsql_unconfined_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure *;
> >>>> +       allow sepgsql_unconfined_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom relabelto };
> >>>> +       allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
> >>>> +       allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
> >>>> +
> >>>> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
> >>>> +',`
> >>>> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
> >>>> +')
> >>> Why is this tunable?  Why is there a different type_transition behavior?
> >> I intend that users can turn off this tunable during its operation phase
> >> after initial database setting up, to prevent applying unconfined accesses.
> >>
> >> When sepgsql_enable_unconfined is disabled, sepgsql_unconfined_type works
> >> as if they are sepgsql_client_type, because sepgsql_unconfined_domain() interface
> >> associates a domain with sepgsql_(unconfined|client)_type.
> > 
> > The problem is that this is inconsistent with the way other
> > *_unconfined() access works.
> 
> However, this feature to disclaim widespread permissions is worthwhile in database
> management system, because it is less frequently required in operation phase different
> from construction phase.
> So, I think the default security policy should provide a way to restrict permissions
> for administrative domain.
> 
> If you concerned about its name is confusable with other *_unconfined() interfaces,
> `sepgsql_enable_unconfined' can be renamed to `sepgsql_enable_administrative' and
> ditto for the name of interface.

It seems to make more sense to have the interfaces be unconditional, and
then have the tunable at the call site.

> In the latest my patch, newly created tables are labeled as sepgsql_FOO_table_t
> when client does not belong to administrative domains. Because unconfined_t loses
> the grounds of its widespread permission when the boolean is disabled,

unconfined_t is going to have to always have unconfined access.

>  it works as
> a generic domain. It also includes behavior changing in type_transition for tables.

I'll have to re-review it, but I'm still uneasy about changing
type_transitions.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[KaiGai Kohei]

Christopher J. PeBenito wrote:
> On Mon, 2008-03-10 at 16:52 +0900, Kohei KaiGai wrote:
>>>>> * Tunables to turn on/off audit are remained now, because database
>>>>>    folks told me fine-grained logs are worthwhile feature.
>>>> I'm still not very compelled by this, as I doubt people who do want more
>>>> auditing will want to to enable it so coarsely.
>>> Hmm...
>>> OK, I'll remove these tunable, and add a documentation to collect
>>> fine-grained database access logs.
>> When we apply tuple-level access control, access denied logs of filtered
>> tuples are noisy, and it gives adversed effect for performance.
>> For example, if a table contains 1,000,000 tuples and half of them are
>> labeled as ":s0:c0", unclassified users will look a flood of logs
>> on every accesses.
>>
>> At least, is it necessary to be controlable on tuples?
> [...]
>> [kaigai@saba ~]$ runcon -l s0 psql postgres -q
>> postgres=# SELECT * FROM drink;
>> NOTICE:  SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c0 tclass=db_tuple name=relid:16482,oid:16490
>> NOTICE:  SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c0 tclass=db_tuple name=relid:16482,oid:16491
>> NOTICE:  SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c0 tclass=db_tuple name=relid:16482,oid:16492
>>  id | name  | price | alcohol
>> ----+-------+-------+---------
>>   1 | water |   100 | f
>>   2 | coke  |   120 | f
>>   3 | juice |   130 | f
>> (3 rows)
> 
> I would just unconditionally dontaudit it.

OK, I'll add it.
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[KaiGai Kohei]

Christopher J. PeBenito wrote:
> On Sun, 2008-03-09 at 23:24 +0900, KaiGai Kohei wrote:
>> Christopher J. PeBenito wrote:
>>> On Fri, 2008-03-07 at 10:52 +0900, Kohei KaiGai wrote:
>>>> Christopher J. PeBenito wrote:
>>>>> On Wed, 2008-02-27 at 17:00 +0900, Kohei KaiGai wrote:
>>>>>> The attached patch provides security policies related to
>>>>>> SE-PostgreSQL.
>>> [...]
>>>>>> +typeattribute unlabeled_t      sepgsql_database_type;
>>>>>> +typeattribute unlabeled_t      sepgsql_table_type;
>>>>>> +typeattribute unlabeled_t      sepgsql_procedure_type;
>>>>>> +typeattribute unlabeled_t      sepgsql_blob_type;
>>>>> Usage of unlabeled_t here is not permitted.
>>>> Is it appropriate manner to deploy optional_policy at kernel/kernel.te?
>>> Why is this needed at all?
>> Database objects have persistent security context, as filesystem doing.
>> If their security contexts are invalidated by policy reloading etc, it is
>> necessary them to be relabeled.
>>
>> Above rules enables administrative domains to access and relabel these objects
>> in this case.
> 
> You need to add interfaces in the kernel module.

Are you saying I should put new interfaces on kernel/kernel.if and use them in
services/postgresql.te? Or inverse meaning?

>>>>>> +########################################
>>>>>> +#
>>>>>> +# SE-PostgreSQL Administrative domain local policy
>>>>>> +#                    (sepgsql_unconfined_type)
>>>>>> +
>>>>>> +tunable_policy(`sepgsql_enable_unconfined',`
>>>>>> +       allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
>>>>>> +       allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
>>>>>> +       allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
>>>>>> +       allow sepgsql_unconfined_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure *;
>>>>>> +       allow sepgsql_unconfined_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom relabelto };
>>>>>> +       allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
>>>>>> +       allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
>>>>>> +
>>>>>> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
>>>>>> +',`
>>>>>> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
>>>>>> +')
>>>>> Why is this tunable?  Why is there a different type_transition behavior?
>>>> I intend that users can turn off this tunable during its operation phase
>>>> after initial database setting up, to prevent applying unconfined accesses.
>>>>
>>>> When sepgsql_enable_unconfined is disabled, sepgsql_unconfined_type works
>>>> as if they are sepgsql_client_type, because sepgsql_unconfined_domain() interface
>>>> associates a domain with sepgsql_(unconfined|client)_type.
>>> The problem is that this is inconsistent with the way other
>>> *_unconfined() access works.
>> However, this feature to disclaim widespread permissions is worthwhile in database
>> management system, because it is less frequently required in operation phase different
>> from construction phase.
>> So, I think the default security policy should provide a way to restrict permissions
>> for administrative domain.
>>
>> If you concerned about its name is confusable with other *_unconfined() interfaces,
>> `sepgsql_enable_unconfined' can be renamed to `sepgsql_enable_administrative' and
>> ditto for the name of interface.
> 
> It seems to make more sense to have the interfaces be unconditional, and
> then have the tunable at the call site.

Is it possible?
Currently, we cannot put TYPEATTRIBUTE statement in a tunable block.
If caller side put postgresql_unconfined() in a tunable block, we cannot build it well.

>> In the latest my patch, newly created tables are labeled as sepgsql_FOO_table_t
>> when client does not belong to administrative domains. Because unconfined_t loses
>> the grounds of its widespread permission when the boolean is disabled,
> 
> unconfined_t is going to have to always have unconfined access.

I can understand unconfined_t should work as its literal.

However, I'm worry about unconfined domain can invoke user defined functions
with his capabilities, because it can contain malicious queries.
In my current policy, it denies unconfined domains to invoke user defined
functions directly. They have to confirm its harmless and to relabel it to
sepgsql_proc_t.

It is a different issue from the tunable unconfined domain.
However, I want you to understand allowing unconfined domains to invoke
user defined functions directly is fundamentally risky.
(Thus, I don't allow unconfined domains to invoke sepgsql_FOO_proc_t.)

>>  it works as
>> a generic domain. It also includes behavior changing in type_transition for tables.
> 
> I'll have to re-review it, but I'm still uneasy about changing
> type_transitions.

I think the default type of database objects should be common, not a local type
like sepgsql_FOO_table_t. When it works as a DBA, a newly created table should
be labled as sepgsql_table_t, even if unconfined_t has its local sepgsql_unconfined_table_t.
Thus, type_transition also need to be tunable, if unconfined domain is tunable.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy

[Kohei KaiGai]

Chris,

This is a summary of this thread.
I think we have three iseeues now, as follows:

[1] unconfined_t is not always unconfined
The current my policy does not allow unconfined domains to invoke
user defined functions, because malicious queries can be stored in.
Thus, unconfined domain has to confirm its harmless and relabel it
to sepgsql_proc_t type.
However, this approach does not allow unconfined domain works as its name.

[2] conditional unconfined domain
Most of administrative users less less frequently requires widespread
permissions in operation phase, different from construction phase.
Thus, a option to revoke unconfined authorities is worthwhile for
secure database administration.
However, no other domain has a similar option.

[3] conditional type_transition
Applying per-user local type is a good idea. It enables to separate
database objects logically. However, I think the default types created
by DBA should be labeled as a common type, not a local one.
 e.g) I want to be labeled as "sepgsql_table_t" on a newly created tables,
      not "sepgsql_unconfined_table_t".
If unconfined domain is conditional, it depends on the tunable whether
the subject is DBA, or not. So, type_transition need to be conditional.


I can understand [2] is an odd manner in the current upstreamed policy
design. Therefore, it can remove [3] of conditional type_transiton with
"sepgsql_enable_unconfined".
However, I want to remain [1] rules. As unconfined_t is restricted at
execmem and execmod, it should be handled as a special case for risky
situation.
In addition, I want to provide end-users a option to turn on/off
applying per-user local types. If end-users decide to apply MCS
for logical separation or they don't need it, per-users local types
are not necessary. A new tunable ("sepgsql_enable_unified" for example)
can be considerable, but it means type_transition rules are put within
tunable block.

Thanks,

KaiGai Kohei wrote:
> Christopher J. PeBenito wrote:
>> On Sun, 2008-03-09 at 23:24 +0900, KaiGai Kohei wrote:
>>> Christopher J. PeBenito wrote:
>>>> On Fri, 2008-03-07 at 10:52 +0900, Kohei KaiGai wrote:
>>>>> Christopher J. PeBenito wrote:
>>>>>> On Wed, 2008-02-27 at 17:00 +0900, Kohei KaiGai wrote:
>>>>>>> The attached patch provides security policies related to
>>>>>>> SE-PostgreSQL.
>>>> [...]
>>>>>>> +typeattribute unlabeled_t      sepgsql_database_type;
>>>>>>> +typeattribute unlabeled_t      sepgsql_table_type;
>>>>>>> +typeattribute unlabeled_t      sepgsql_procedure_type;
>>>>>>> +typeattribute unlabeled_t      sepgsql_blob_type;
>>>>>> Usage of unlabeled_t here is not permitted.
>>>>> Is it appropriate manner to deploy optional_policy at kernel/kernel.te?
>>>> Why is this needed at all?
>>> Database objects have persistent security context, as filesystem doing.
>>> If their security contexts are invalidated by policy reloading etc, it is
>>> necessary them to be relabeled.
>>>
>>> Above rules enables administrative domains to access and relabel these objects
>>> in this case.
>> You need to add interfaces in the kernel module.
> 
> Are you saying I should put new interfaces on kernel/kernel.if and use them in
> services/postgresql.te? Or inverse meaning?
> 
>>>>>>> +########################################
>>>>>>> +#
>>>>>>> +# SE-PostgreSQL Administrative domain local policy
>>>>>>> +#                    (sepgsql_unconfined_type)
>>>>>>> +
>>>>>>> +tunable_policy(`sepgsql_enable_unconfined',`
>>>>>>> +       allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
>>>>>>> +       allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
>>>>>>> +       allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
>>>>>>> +       allow sepgsql_unconfined_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure *;
>>>>>>> +       allow sepgsql_unconfined_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom relabelto };
>>>>>>> +       allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
>>>>>>> +       allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
>>>>>>> +
>>>>>>> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
>>>>>>> +',`
>>>>>>> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
>>>>>>> +')
>>>>>> Why is this tunable?  Why is there a different type_transition behavior?
>>>>> I intend that users can turn off this tunable during its operation phase
>>>>> after initial database setting up, to prevent applying unconfined accesses.
>>>>>
>>>>> When sepgsql_enable_unconfined is disabled, sepgsql_unconfined_type works
>>>>> as if they are sepgsql_client_type, because sepgsql_unconfined_domain() interface
>>>>> associates a domain with sepgsql_(unconfined|client)_type.
>>>> The problem is that this is inconsistent with the way other
>>>> *_unconfined() access works.
>>> However, this feature to disclaim widespread permissions is worthwhile in database
>>> management system, because it is less frequently required in operation phase different
>>> from construction phase.
>>> So, I think the default security policy should provide a way to restrict permissions
>>> for administrative domain.
>>>
>>> If you concerned about its name is confusable with other *_unconfined() interfaces,
>>> `sepgsql_enable_unconfined' can be renamed to `sepgsql_enable_administrative' and
>>> ditto for the name of interface.
>> It seems to make more sense to have the interfaces be unconditional, and
>> then have the tunable at the call site.
> 
> Is it possible?
> Currently, we cannot put TYPEATTRIBUTE statement in a tunable block.
> If caller side put postgresql_unconfined() in a tunable block, we cannot build it well.
> 
>>> In the latest my patch, newly created tables are labeled as sepgsql_FOO_table_t
>>> when client does not belong to administrative domains. Because unconfined_t loses
>>> the grounds of its widespread permission when the boolean is disabled,
>> unconfined_t is going to have to always have unconfined access.
> 
> I can understand unconfined_t should work as its literal.
> 
> However, I'm worry about unconfined domain can invoke user defined functions
> with his capabilities, because it can contain malicious queries.
> In my current policy, it denies unconfined domains to invoke user defined
> functions directly. They have to confirm its harmless and to relabel it to
> sepgsql_proc_t.
> 
> It is a different issue from the tunable unconfined domain.
> However, I want you to understand allowing unconfined domains to invoke
> user defined functions directly is fundamentally risky.
> (Thus, I don't allow unconfined domains to invoke sepgsql_FOO_proc_t.)
> 
>>>  it works as
>>> a generic domain. It also includes behavior changing in type_transition for tables.
>> I'll have to re-review it, but I'm still uneasy about changing
>> type_transitions.
> 
> I think the default type of database objects should be common, not a local type
> like sepgsql_FOO_table_t. When it works as a DBA, a newly created table should
> be labled as sepgsql_table_t, even if unconfined_t has its local sepgsql_unconfined_table_t.
> Thus, type_transition also need to be tunable, if unconfined domain is tunable.
> 
> Thanks,


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH] SE-PostgreSQL Security Policy (try #3)

[Kohei KaiGai]

[-- Attachment #1: Type: text/plain, Size: 4847 bytes --]

The attached patch provides revised SE-PostgreSQL policy.

Updates from the previous version:
o sepgsql_enable_unconfined was removed.
o conditional type_transition was removed.

However, the following policies are unchanged, because I'm not
sure what is your opinion.
- In kernel/kernel.te, interfaces declared in services/postgresql.if
   are invoked.
- Unconfined domains cannot invoke user defined functions due to
   security reason.

In the discussion about conditional type_transiton, I mentioned about
a new boolean "sepgsql_unified_type" to turn on/off per-domain types
like sepgsql_user_table_t, it is not included in this patch yet.

Please review this one.
Thanks,

Christopher J. PeBenito wrote:
> On Sun, 2008-03-09 at 23:24 +0900, KaiGai Kohei wrote:
>> Christopher J. PeBenito wrote:
>>> On Fri, 2008-03-07 at 10:52 +0900, Kohei KaiGai wrote:
>>>> Christopher J. PeBenito wrote:
>>>>> On Wed, 2008-02-27 at 17:00 +0900, Kohei KaiGai wrote:
>>>>>> The attached patch provides security policies related to
>>>>>> SE-PostgreSQL.
>>> [...]
>>>>>> +typeattribute unlabeled_t      sepgsql_database_type;
>>>>>> +typeattribute unlabeled_t      sepgsql_table_type;
>>>>>> +typeattribute unlabeled_t      sepgsql_procedure_type;
>>>>>> +typeattribute unlabeled_t      sepgsql_blob_type;
>>>>> Usage of unlabeled_t here is not permitted.
>>>> Is it appropriate manner to deploy optional_policy at kernel/kernel.te?
>>> Why is this needed at all?
>> Database objects have persistent security context, as filesystem doing.
>> If their security contexts are invalidated by policy reloading etc, it is
>> necessary them to be relabeled.
>>
>> Above rules enables administrative domains to access and relabel these objects
>> in this case.
> 
> You need to add interfaces in the kernel module.
> 
>>>>>> +########################################
>>>>>> +#
>>>>>> +# SE-PostgreSQL Administrative domain local policy
>>>>>> +#                    (sepgsql_unconfined_type)
>>>>>> +
>>>>>> +tunable_policy(`sepgsql_enable_unconfined',`
>>>>>> +       allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
>>>>>> +       allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
>>>>>> +       allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
>>>>>> +       allow sepgsql_unconfined_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure *;
>>>>>> +       allow sepgsql_unconfined_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom relabelto };
>>>>>> +       allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
>>>>>> +       allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
>>>>>> +
>>>>>> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
>>>>>> +',`
>>>>>> +       type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
>>>>>> +')
>>>>> Why is this tunable?  Why is there a different type_transition behavior?
>>>> I intend that users can turn off this tunable during its operation phase
>>>> after initial database setting up, to prevent applying unconfined accesses.
>>>>
>>>> When sepgsql_enable_unconfined is disabled, sepgsql_unconfined_type works
>>>> as if they are sepgsql_client_type, because sepgsql_unconfined_domain() interface
>>>> associates a domain with sepgsql_(unconfined|client)_type.
>>> The problem is that this is inconsistent with the way other
>>> *_unconfined() access works.
>> However, this feature to disclaim widespread permissions is worthwhile in database
>> management system, because it is less frequently required in operation phase different
>> from construction phase.
>> So, I think the default security policy should provide a way to restrict permissions
>> for administrative domain.
>>
>> If you concerned about its name is confusable with other *_unconfined() interfaces,
>> `sepgsql_enable_unconfined' can be renamed to `sepgsql_enable_administrative' and
>> ditto for the name of interface.
> 
> It seems to make more sense to have the interfaces be unconditional, and
> then have the tunable at the call site.
> 
>> In the latest my patch, newly created tables are labeled as sepgsql_FOO_table_t
>> when client does not belong to administrative domains. Because unconfined_t loses
>> the grounds of its widespread permission when the boolean is disabled,
> 
> unconfined_t is going to have to always have unconfined access.
> 
>>  it works as
>> a generic domain. It also includes behavior changing in type_transition for tables.
> 
> I'll have to re-review it, but I'm still uneasy about changing
> type_transitions.
> 


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: refpolicy-sepostgresql.3.patch --]
[-- Type: text/x-patch, Size: 19903 bytes --]

Index: refpolicy-sepgsql/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-sepgsql/policy/modules/kernel/kernel.te	(revision 2639)
+++ refpolicy-sepgsql/policy/modules/kernel/kernel.te	(working copy)
@@ -358,6 +358,17 @@
 
 ########################################
 #
+# Unlabeled database objects
+#
+optional_policy(`
+	postgresql_database_object(unlabeled_t)
+	postgresql_table_object(unlabeled_t)
+	postgresql_procedure_object(unlabeled_t)
+	postgresql_blob_object(unlabeled_t)
+')
+
+########################################
+#
 # Rules for unconfined acccess to this module
 #
 
Index: refpolicy-sepgsql/policy/modules/services/postgresql.if
===================================================================
--- refpolicy-sepgsql/policy/modules/services/postgresql.if	(revision 2639)
+++ refpolicy-sepgsql/policy/modules/services/postgresql.if	(working copy)
@@ -120,3 +120,228 @@
         # Some versions of postgresql put the sock file in /tmp
 	allow $1 postgresql_tmp_t:sock_file write;
 ')
+
+#######################################
+## <summary>
+##      The userdomain template for the SE-PostgreSQL.
+## </summary>
+## <desc>
+##      This template creates a delivered types which are used
+##	for given userdomains.
+## </desc>
+## <param name="userdomain_prefix">
+##      <summary>
+##      The prefix of the user domain (e.g., user
+##      is the prefix for user_t).
+##      </summary>
+## </param>
+#
+template(`postgresql_userdom_template',`
+	gen_require(`
+		class db_database all_db_database_perms;
+		class db_table all_db_table_perms;
+		class db_procedure all_db_procedure_perms;
+		class db_column all_db_column_perms;
+		class db_tuple all_db_tuple_perms;
+		class db_blob all_db_blob_perms;
+
+		attribute sepgsql_client_type;
+		attribute sepgsql_unconfined_type;
+		attribute sepgsql_userdom_type;
+
+		attribute sepgsql_database_type;
+		type sepgsql_trusted_domain_t;
+		type sepgsql_sysobj_t;
+
+		bool sepgsql_enable_users_ddl;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	typeattribute $1_t sepgsql_client_type;
+	typeattribute $1_t sepgsql_userdom_type;
+
+	type sepgsql_$1_table_t;
+	postgresql_table_object(sepgsql_$1_table_t)
+
+	type sepgsql_$1_sysobj_t;
+	postgresql_system_table_object(sepgsql_$1_sysobj_t)
+
+	type sepgsql_$1_proc_t;
+	postgresql_procedure_object(sepgsql_$1_proc_t)
+
+	type sepgsql_$1_blob_t;
+	postgresql_blob_object(sepgsql_$1_blob_t)
+
+	##############################
+	#
+	# Client local policy
+	#
+	type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_table     sepgsql_$1_table_t;
+	type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_$1_proc_t;
+	type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_blob      sepgsql_$1_blob_t;
+	type_transition { $1_t - sepgsql_unconfined_type } sepgsql_sysobj_t      : db_tuple     sepgsql_$1_sysobj_t;
+
+	tunable_policy(`sepgsql_enable_users_ddl',`
+		allow $1_t sepgsql_$1_table_t  : db_table { create drop };
+		allow $1_t sepgsql_$1_table_t  : db_column { create drop };
+		allow $1_t sepgsql_$1_sysobj_t : db_tuple { update insert delete };
+	')
+
+	allow $1_t sepgsql_$1_table_t  : db_table  { getattr setattr use select update insert delete };
+	allow $1_t sepgsql_$1_table_t  : db_column { getattr setattr use select update insert };
+	allow $1_t sepgsql_$1_table_t  : db_tuple  { use select update insert delete };
+	allow $1_t sepgsql_$1_sysobj_t : db_tuple  { use select };
+
+	allow $1_t sepgsql_$1_proc_t : db_procedure { create drop getattr setattr execute };
+
+	allow $1_t sepgsql_$1_blob_t : db_blob { create drop getattr setattr read write };
+
+	# Trusted Procedure
+	role $1_r types sepgsql_trusted_domain_t;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain unconfined accesses to any database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`postgresql_unconfined',`
+	gen_require(`
+		attribute sepgsql_unconfined_type;
+		attribute sepgsql_client_type;
+	')
+	typeattribute $1 sepgsql_unconfined_type;
+	typeattribute $1 sepgsql_client_type;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain unprivileged accesses to unifined database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`postgresql_client',`
+	gen_require(`
+		attribute sepgsql_client_type;
+	')
+	typeattribute $1 sepgsql_client_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL loadable shared library module
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_loadable_module',`
+	gen_require(`
+		attribute sepgsql_module_type;
+	')
+	typeattribute $1 sepgsql_module_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL database object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_database_object',`
+	gen_require(`
+		attribute sepgsql_database_type;
+	')
+	typeattribute $1 sepgsql_database_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL table/column/tuple object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a table/column/tuple object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_table_object',`
+	gen_require(`
+		attribute sepgsql_table_type;
+	')
+	typeattribute $1 sepgsql_table_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL system table/column/tuple object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a table/column/tuple object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_system_table_object',`
+	gen_require(`
+		attribute sepgsql_table_type;
+		attribute sepgsql_sysobj_table_type;
+	')
+	typeattribute $1 sepgsql_table_type;
+	typeattribute $1 sepgsql_sysobj_table_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL procedure object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_procedure_object',`
+	gen_require(`
+		attribute sepgsql_procedure_type;
+	')
+	typeattribute $1 sepgsql_procedure_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL binary large object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database binary large object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_blob_object',`
+	gen_require(`
+		attribute sepgsql_blob_type;
+	')
+	typeattribute $1 sepgsql_blob_type;
+')
Index: refpolicy-sepgsql/policy/modules/services/apache.te
===================================================================
--- refpolicy-sepgsql/policy/modules/services/apache.te	(revision 2639)
+++ refpolicy-sepgsql/policy/modules/services/apache.te	(working copy)
@@ -479,6 +479,8 @@
 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
 	')
+
+	postgresql_client(httpd_t)
 ')
 
 optional_policy(`
Index: refpolicy-sepgsql/policy/modules/services/apache.if
===================================================================
--- refpolicy-sepgsql/policy/modules/services/apache.if	(revision 2639)
+++ refpolicy-sepgsql/policy/modules/services/apache.if	(working copy)
@@ -226,6 +226,10 @@
 	')
 
 	optional_policy(`
+		postgresql_client(httpd_$1_script_t)
+	')
+
+	optional_policy(`
 		nscd_socket_use(httpd_$1_script_t)
 	')
 ')
Index: refpolicy-sepgsql/policy/modules/services/postgresql.te
===================================================================
--- refpolicy-sepgsql/policy/modules/services/postgresql.te	(revision 2639)
+++ refpolicy-sepgsql/policy/modules/services/postgresql.te	(working copy)
@@ -166,3 +166,178 @@
 optional_policy(`
 	udev_read_db(postgresql_t)
 ')
+
+#################################
+#
+# SE-PostgreSQL Boolean declarations
+#
+
+## <desc>
+## <p>
+## Allow unprived users to execute DDL statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_users_ddl, true)
+
+#################################
+#
+# SE-PostgreSQL Type/Attribute declarations
+#
+
+# database subjects
+attribute sepgsql_client_type;
+attribute sepgsql_unconfined_type;
+attribute sepgsql_userdom_type;
+
+# database objects attribute
+attribute sepgsql_database_type;
+attribute sepgsql_table_type;
+attribute sepgsql_sysobj_table_type;
+attribute sepgsql_procedure_type;
+attribute sepgsql_blob_type;
+attribute sepgsql_module_type;
+
+# database trusted domain
+type sepgsql_trusted_domain_t;
+
+# database object types
+type sepgsql_db_t;
+postgresql_database_object(sepgsql_db_t)
+
+type sepgsql_table_t;
+postgresql_table_object(sepgsql_table_t)
+type sepgsql_sysobj_t;
+postgresql_system_table_object(sepgsql_sysobj_t)
+type sepgsql_secret_table_t;
+postgresql_table_object(sepgsql_secret_table_t)
+type sepgsql_ro_table_t;
+postgresql_table_object(sepgsql_ro_table_t)
+type sepgsql_fixed_table_t;
+postgresql_table_object(sepgsql_fixed_table_t)
+
+type sepgsql_proc_t;
+postgresql_procedure_object(sepgsql_proc_t)
+type sepgsql_trusted_proc_t;
+postgresql_procedure_object(sepgsql_trusted_proc_t)
+
+type sepgsql_blob_t;
+postgresql_blob_object(sepgsql_blob_t)
+type sepgsql_ro_blob_t;
+postgresql_blob_object(sepgsql_ro_blob_t)
+type sepgsql_secret_blob_t;
+postgresql_blob_object(sepgsql_secret_blob_t)
+
+########################################
+#
+# SE-PostgreSQL Server Local policy
+#                    (postgresql_t)
+
+allow postgresql_t self : netlink_selinux_socket create_socket_perms;
+selinux_get_fs_mount(postgresql_t)
+selinux_get_enforce_mode(postgresql_t)
+selinux_validate_context(postgresql_t)
+selinux_compute_access_vector(postgresql_t)
+selinux_compute_create_context(postgresql_t)
+selinux_compute_relabel_context(postgresql_t)
+
+allow postgresql_t sepgsql_database_type : db_database *;
+allow postgresql_t sepgsql_module_type : db_database { install_module };
+allow postgresql_t sepgsql_table_type : { db_table db_column db_tuple } *;
+allow postgresql_t sepgsql_procedure_type : db_procedure *;
+allow postgresql_t sepgsql_blob_type : db_blob *;
+
+# server specific type transitions
+type_transition postgresql_t postgresql_t : db_database sepgsql_db_t;
+type_transition postgresql_t sepgsql_database_type : db_table sepgsql_sysobj_t;
+type_transition postgresql_t sepgsql_database_type : db_procedure sepgsql_proc_t;
+type_transition postgresql_t sepgsql_database_type : db_blob sepgsql_blob_t;
+
+########################################
+#
+# SE-PostgreSQL unconfined domain local policy
+#                    (sepgsql_unconfined_type)
+
+allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
+allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
+allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
+allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t } : db_procedure *;
+allow sepgsql_unconfined_type sepgsql_procedure_type : db_procedure { create drop getattr setattr relabelfrom relabelto };
+allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
+allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
+
+type_transition sepgsql_unconfined_type sepgsql_database_type : db_table sepgsql_table_t;
+type_transition sepgsql_unconfined_type sepgsql_database_type : db_procedure sepgsql_proc_t;
+type_transition sepgsql_unconfined_type sepgsql_database_type : db_blob sepgsql_blob_t;
+
+########################################
+#
+# SE-PostgreSQL unpriv-Client domain local policy
+#                    (sepgsql_client_type)
+
+allow sepgsql_client_type sepgsql_db_t : db_database { getattr access get_param set_param};
+
+allow sepgsql_client_type sepgsql_table_t : db_table { getattr use select update insert delete };
+allow sepgsql_client_type sepgsql_table_t : db_column { getattr use select update insert };
+allow sepgsql_client_type sepgsql_table_t : db_tuple { use select update insert delete };
+
+tunable_policy(`sepgsql_enable_users_ddl',`
+	allow sepgsql_client_type sepgsql_table_t  : db_table  { create drop setattr };
+	allow sepgsql_client_type sepgsql_table_t  : db_column { create drop setattr };
+	allow sepgsql_client_type sepgsql_sysobj_t : db_tuple  { update insert delete };
+')
+
+allow sepgsql_client_type sepgsql_sysobj_t : db_table { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t : db_column { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t : db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_secret_table_t : db_table { getattr };
+allow sepgsql_client_type sepgsql_secret_table_t : db_column { getattr };
+
+allow sepgsql_client_type sepgsql_ro_table_t : db_table { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t : db_column { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t : db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_fixed_table_t : db_table { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t : db_column { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t : db_tuple { use select insert };
+
+allow sepgsql_client_type sepgsql_proc_t : db_procedure { getattr execute };
+allow sepgsql_client_type sepgsql_trusted_proc_t : db_procedure { getattr execute entrypoint };
+
+allow sepgsql_client_type sepgsql_blob_t : db_blob { create drop getattr setattr read write };
+allow sepgsql_client_type sepgsql_ro_blob_t : db_blob { getattr read };
+allow sepgsql_client_type sepgsql_secret_blob_t : db_blob { getattr };
+
+# call trusted procedure
+type_transition sepgsql_client_type sepgsql_trusted_proc_t : process sepgsql_trusted_domain_t;
+allow sepgsql_client_type sepgsql_trusted_domain_t : process { transition };
+
+# type transitions for rest of domains
+type_transition sepgsql_client_type postgresql_t : db_database sepgsql_db_t;
+type_transition { sepgsql_client_type - sepgsql_unconfined_type - sepgsql_userdom_type } sepgsql_database_type : db_table sepgsql_table_t;
+type_transition { sepgsql_client_type - sepgsql_unconfined_type - sepgsql_userdom_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
+type_transition { sepgsql_client_type - sepgsql_unconfined_type - sepgsql_userdom_type } sepgsql_database_type : db_blob sepgsql_blob_t;
+
+########################################
+#
+# SE-PostgreSQL Misc policies
+#
+
+# Trusted Procedure Domain
+domain_type(sepgsql_trusted_domain_t)
+postgresql_unconfined(sepgsql_trusted_domain_t)
+role system_r types sepgsql_trusted_domain_t;
+
+# The following permissions are allowed, even if sepgsql_enable_unconfined is disabled.
+allow sepgsql_trusted_domain_t sepgsql_database_type : db_database { getattr setattr access get_param set_param};
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_table { getattr use select update insert delete lock };
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_column { getattr use select update insert };
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_tuple { use select update insert delete };
+
+allow sepgsql_trusted_domain_t sepgsql_blob_type : db_blob { getattr setattr read write };
+
+# Database/Loadable module
+allow sepgsql_database_type sepgsql_module_type : db_database { load_module };
+
+# Don't audit deny logs in row-level access control
+dontaudit sepgsql_client_type { sepgsql_table_type - sepgsql_sysobj_table_type } : db_tuple *;
Index: refpolicy-sepgsql/policy/modules/services/postgresql.fc
===================================================================
--- refpolicy-sepgsql/policy/modules/services/postgresql.fc	(revision 2639)
+++ refpolicy-sepgsql/policy/modules/services/postgresql.fc	(working copy)
@@ -6,8 +6,9 @@
 #
 # /usr
 #
-/usr/bin/initdb			--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/initdb(\.sepgsql)?	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/(se)?postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/sepg_ctl		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /usr/lib/pgsql/test/regres(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
 /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
@@ -30,8 +31,12 @@
 /var/lib/pgsql/data(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
 /var/lib/pgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)
 
+/var/lib/sepgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/sepgsql/pgstartup\.log	--	gen_context(system_u:object_r:postgresql_log_t,s0)
+
 /var/log/postgres\.log.* 	--	gen_context(system_u:object_r:postgresql_log_t,s0)
 /var/log/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/sepostgresql\.log.*	--	gen_context(system_u:object_r:postgresql_log_t,s0)
 
 ifdef(`distro_redhat', `
 /var/log/rhdb/rhdb(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
Index: refpolicy-sepgsql/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-sepgsql/policy/modules/system/userdomain.if	(revision 2639)
+++ refpolicy-sepgsql/policy/modules/system/userdomain.if	(working copy)
@@ -1201,6 +1201,10 @@
 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')
 
+	optional_policy(`
+		postgresql_userdom_template($1)
+	')
+
 	# Run pppd in pppd_t by default for user
 	optional_policy(`
 		ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@@ -1371,6 +1375,10 @@
 	')
 
 	optional_policy(`
+		postgresql_unconfined($1_t)
+	')
+
+	optional_policy(`
 		userhelper_exec($1_t)
 	')
 ')
Index: refpolicy-sepgsql/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-sepgsql/policy/modules/system/unconfined.te	(revision 2639)
+++ refpolicy-sepgsql/policy/modules/system/unconfined.te	(working copy)
@@ -189,6 +189,11 @@
 ')
 
 optional_policy(`
+	postgresql_userdom_template(unconfined)
+	postgresql_unconfined(unconfined_t)
+')
+
+optional_policy(`
 	tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 
Index: refpolicy-sepgsql/policy/modules/system/libraries.te
===================================================================
--- refpolicy-sepgsql/policy/modules/system/libraries.te	(revision 2639)
+++ refpolicy-sepgsql/policy/modules/system/libraries.te	(working copy)
@@ -109,3 +109,8 @@
 	# blow up.
 	rpm_manage_script_tmp_files(ldconfig_t)
 ')
+
+optional_policy(`
+	postgresql_loadable_module(lib_t)
+	postgresql_loadable_module(textrel_shlib_t)
+')
Index: refpolicy-sepgsql/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-sepgsql/policy/modules/system/unconfined.if	(revision 2639)
+++ refpolicy-sepgsql/policy/modules/system/unconfined.if	(working copy)
@@ -88,6 +88,10 @@
 	')
 
 	optional_policy(`
+		postgresql_unconfined($1)
+	')
+
+	optional_policy(`
 		seutil_create_bin_policy($1)
 		seutil_relabelto_bin_policy($1)
 	')

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[Christopher J. PeBenito]

On Mon, 2008-03-17 at 18:31 +0900, Kohei KaiGai wrote:
> The attached patch provides revised SE-PostgreSQL policy.
> 
> Updates from the previous version:
> o sepgsql_enable_unconfined was removed.
> o conditional type_transition was removed.
> 
> However, the following policies are unchanged, because I'm not
> sure what is your opinion.
> - In kernel/kernel.te, interfaces declared in services/postgresql.if
>    are invoked.
> - Unconfined domains cannot invoke user defined functions due to
>    security reason.
> 
> In the discussion about conditional type_transiton, I mentioned about
> a new boolean "sepgsql_unified_type" to turn on/off per-domain types
> like sepgsql_user_table_t, it is not included in this patch yet.
> 
> Please review this one.
> Thanks,
> 

> 
> Index: refpolicy-sepgsql/policy/modules/kernel/kernel.te
> ===================================================================
> --- refpolicy-sepgsql/policy/modules/kernel/kernel.te   (revision 2639)
> +++ refpolicy-sepgsql/policy/modules/kernel/kernel.te   (working copy)
> @@ -358,6 +358,17 @@
>  
>  ########################################
>  #
> +# Unlabeled database objects
> +#
> +optional_policy(`
> +       postgresql_database_object(unlabeled_t)
> +       postgresql_table_object(unlabeled_t)
> +       postgresql_procedure_object(unlabeled_t)
> +       postgresql_blob_object(unlabeled_t)
> +')

I think interfaces should be added to kernel.if to allow the appropriate
access.  It seems that the database would have some access to the
objects, and then an admin would be able to relabel from unlabeled_t for
db_database, db_table, etc.

for example:

interface(`kernel_relabelfrom_unlabeled_table',`
	gen_require(`
		type unlabeled_t;
		class db_table relabelfrom;
	')

	allow $1 unlabeled_t:db_table relabelfrom;
')

 
> Index: refpolicy-sepgsql/policy/modules/services/postgresql.if
> ===================================================================
> --- refpolicy-sepgsql/policy/modules/services/postgresql.if     (revision 2639)
> +++ refpolicy-sepgsql/policy/modules/services/postgresql.if     (working copy)
> @@ -120,3 +120,228 @@
>          # Some versions of postgresql put the sock file in /tmp
>         allow $1 postgresql_tmp_t:sock_file write;
>  ')
> +
> +#######################################
> +## <summary>
> +##      The userdomain template for the SE-PostgreSQL.
> +## </summary>
> +## <desc>
> +##      This template creates a delivered types which are used
> +##     for given userdomains.
> +## </desc>
> +## <param name="userdomain_prefix">
> +##      <summary>
> +##      The prefix of the user domain (e.g., user
> +##      is the prefix for user_t).
> +##      </summary>
> +## </param>
> +#
> +template(`postgresql_userdom_template',`
> +       gen_require(`
> +               class db_database all_db_database_perms;
> +               class db_table all_db_table_perms;
> +               class db_procedure all_db_procedure_perms;
> +               class db_column all_db_column_perms;
> +               class db_tuple all_db_tuple_perms;
> +               class db_blob all_db_blob_perms;
> +
> +               attribute sepgsql_client_type;
> +               attribute sepgsql_unconfined_type;
> +               attribute sepgsql_userdom_type;
> +
> +               attribute sepgsql_database_type;
> +               type sepgsql_trusted_domain_t;
> +               type sepgsql_sysobj_t;
> +
> +               bool sepgsql_enable_users_ddl;
> +       ')
> +
> +       ########################################
> +       #
> +       # Declarations
> +       #
> +
> +       typeattribute $1_t sepgsql_client_type;
> +       typeattribute $1_t sepgsql_userdom_type;
> +
> +       type sepgsql_$1_table_t;
> +       postgresql_table_object(sepgsql_$1_table_t)
> +
> +       type sepgsql_$1_sysobj_t;
> +       postgresql_system_table_object(sepgsql_$1_sysobj_t)
> +
> +       type sepgsql_$1_proc_t;
> +       postgresql_procedure_object(sepgsql_$1_proc_t)
> +
> +       type sepgsql_$1_blob_t;
> +       postgresql_blob_object(sepgsql_$1_blob_t)
> +
> +       ##############################
> +       #
> +       # Client local policy
> +       #
> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_table     sepgsql_$1_table_t;
> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_$1_proc_t;
> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_blob      sepgsql_$1_blob_t;
> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_sysobj_t      : db_tuple     sepgsql_$1_sysobj_t;

This should probably transition even if its unconfined.  If a user
starts out unconfined and then the admin later decides the user should
be confined, the user will lose access to its object, right?

> +       tunable_policy(`sepgsql_enable_users_ddl',`
> +               allow $1_t sepgsql_$1_table_t  : db_table { create drop };
> +               allow $1_t sepgsql_$1_table_t  : db_column { create drop };
> +               allow $1_t sepgsql_$1_sysobj_t : db_tuple { update insert delete };
> +       ')
> +
> +       allow $1_t sepgsql_$1_table_t  : db_table  { getattr setattr use select update insert delete };
> +       allow $1_t sepgsql_$1_table_t  : db_column { getattr setattr use select update insert };
> +       allow $1_t sepgsql_$1_table_t  : db_tuple  { use select update insert delete };
> +       allow $1_t sepgsql_$1_sysobj_t : db_tuple  { use select };
> +
> +       allow $1_t sepgsql_$1_proc_t : db_procedure { create drop getattr setattr execute };
> +
> +       allow $1_t sepgsql_$1_blob_t : db_blob { create drop getattr setattr read write };
> +
> +       # Trusted Procedure
> +       role $1_r types sepgsql_trusted_domain_t;
> +')

Seems that this should have 3 parameters, just like per-role templates.
Then $1_t becomes $2 and $1_r becomes $3.

> --- refpolicy-sepgsql/policy/modules/services/postgresql.te     (revision 2639)
> +++ refpolicy-sepgsql/policy/modules/services/postgresql.te     (working copy)
> @@ -166,3 +166,178 @@
>  optional_policy(`
>         udev_read_db(postgresql_t)
>  ')
> +
> +#################################
> +#
> +# SE-PostgreSQL Boolean declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow unprived users to execute DDL statement
> +## </p>
> +## </desc>
> +gen_tunable(sepgsql_enable_users_ddl, true)
> +
> +#################################
> +#
> +# SE-PostgreSQL Type/Attribute declarations
> +#
> +
> +# database subjects
> +attribute sepgsql_client_type;
> +attribute sepgsql_unconfined_type;
> +attribute sepgsql_userdom_type;
> +
> +# database objects attribute
> +attribute sepgsql_database_type;
> +attribute sepgsql_table_type;
> +attribute sepgsql_sysobj_table_type;
> +attribute sepgsql_procedure_type;
> +attribute sepgsql_blob_type;
> +attribute sepgsql_module_type;
> +
> +# database trusted domain
> +type sepgsql_trusted_domain_t;
> +
> +# database object types
> +type sepgsql_db_t;
> +postgresql_database_object(sepgsql_db_t)
> +
> +type sepgsql_table_t;
> +postgresql_table_object(sepgsql_table_t)
> +type sepgsql_sysobj_t;
> +postgresql_system_table_object(sepgsql_sysobj_t)
> +type sepgsql_secret_table_t;
> +postgresql_table_object(sepgsql_secret_table_t)
> +type sepgsql_ro_table_t;
> +postgresql_table_object(sepgsql_ro_table_t)
> +type sepgsql_fixed_table_t;
> +postgresql_table_object(sepgsql_fixed_table_t)
> +
> +type sepgsql_proc_t;
> +postgresql_procedure_object(sepgsql_proc_t)
> +type sepgsql_trusted_proc_t;
> +postgresql_procedure_object(sepgsql_trusted_proc_t)
> +
> +type sepgsql_blob_t;
> +postgresql_blob_object(sepgsql_blob_t)
> +type sepgsql_ro_blob_t;
> +postgresql_blob_object(sepgsql_ro_blob_t)
> +type sepgsql_secret_blob_t;
> +postgresql_blob_object(sepgsql_secret_blob_t)

The declarations should be moved up with the other declarations in this
file.

> +########################################
> +#
> +# SE-PostgreSQL unpriv-Client domain local policy
> +#                    (sepgsql_client_type)
> +
> +allow sepgsql_client_type sepgsql_db_t : db_database { getattr access get_param set_param};
> +
> +allow sepgsql_client_type sepgsql_table_t : db_table { getattr use select update insert delete };
> +allow sepgsql_client_type sepgsql_table_t : db_column { getattr use select update insert };
> +allow sepgsql_client_type sepgsql_table_t : db_tuple { use select update insert delete };
> +
> +tunable_policy(`sepgsql_enable_users_ddl',`
> +       allow sepgsql_client_type sepgsql_table_t  : db_table  { create drop setattr };
> +       allow sepgsql_client_type sepgsql_table_t  : db_column { create drop setattr };
> +       allow sepgsql_client_type sepgsql_sysobj_t : db_tuple  { update insert delete };
> +')
> +
> +allow sepgsql_client_type sepgsql_sysobj_t : db_table { getattr use select };
> +allow sepgsql_client_type sepgsql_sysobj_t : db_column { getattr use select };
> +allow sepgsql_client_type sepgsql_sysobj_t : db_tuple { use select };
> +
> +allow sepgsql_client_type sepgsql_secret_table_t : db_table { getattr };
> +allow sepgsql_client_type sepgsql_secret_table_t : db_column { getattr };
> +
> +allow sepgsql_client_type sepgsql_ro_table_t : db_table { getattr use select };
> +allow sepgsql_client_type sepgsql_ro_table_t : db_column { getattr use select };
> +allow sepgsql_client_type sepgsql_ro_table_t : db_tuple { use select };
> +
> +allow sepgsql_client_type sepgsql_fixed_table_t : db_table { getattr use select insert };
> +allow sepgsql_client_type sepgsql_fixed_table_t : db_column { getattr use select insert };
> +allow sepgsql_client_type sepgsql_fixed_table_t : db_tuple { use select insert };
> +
> +allow sepgsql_client_type sepgsql_proc_t : db_procedure { getattr execute };
> +allow sepgsql_client_type sepgsql_trusted_proc_t : db_procedure { getattr execute entrypoint };
> +
> +allow sepgsql_client_type sepgsql_blob_t : db_blob { create drop getattr setattr read write };
> +allow sepgsql_client_type sepgsql_ro_blob_t : db_blob { getattr read };
> +allow sepgsql_client_type sepgsql_secret_blob_t : db_blob { getattr };
> +
> +# call trusted procedure
> +type_transition sepgsql_client_type sepgsql_trusted_proc_t : process sepgsql_trusted_domain_t;
> +allow sepgsql_client_type sepgsql_trusted_domain_t : process { transition };
> +
> +# type transitions for rest of domains
> +type_transition sepgsql_client_type postgresql_t : db_database sepgsql_db_t;

Seems like this type_transition should go in the above
sepgsql_enable_users_ddl tunable.

> +type_transition { sepgsql_client_type - sepgsql_unconfined_type - sepgsql_userdom_type } sepgsql_database_type : db_table sepgsql_table_t;
> +type_transition { sepgsql_client_type - sepgsql_unconfined_type - sepgsql_userdom_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
> +type_transition { sepgsql_client_type - sepgsql_unconfined_type - sepgsql_userdom_type } sepgsql_database_type : db_blob sepgsql_blob_t;

Is the negation here to prevent type_transition conflicts/duplicates?
It seems that if the user template is instantiated, then it should
already have all the access that a client might have.  I'm still
thinking about it, but we might want to just drop the type transition
out of the unconfined section and just require that something that is
unconfined should be either a client or userdom too, to make the the
type_transitions are correct.

This whole section should probably just go into postgresql_client() and
then the attribute could be dropped.

> +########################################
> +#
> +# SE-PostgreSQL Misc policies
> +#
> +
> +# Trusted Procedure Domain
> +domain_type(sepgsql_trusted_domain_t)
> +postgresql_unconfined(sepgsql_trusted_domain_t)
> +role system_r types sepgsql_trusted_domain_t;

This declaration should go with the others.  sepgsql_trusted_proc_t
seems like a better type name.


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[KaiGai Kohei]

Chris, Thanks for your reviewing.

Rest of comments are bellow.

Christopher J. PeBenito wrote:
> On Mon, 2008-03-17 at 18:31 +0900, Kohei KaiGai wrote:
>> The attached patch provides revised SE-PostgreSQL policy.
>>
>> Updates from the previous version:
>> o sepgsql_enable_unconfined was removed.
>> o conditional type_transition was removed.
>>
>> However, the following policies are unchanged, because I'm not
>> sure what is your opinion.
>> - In kernel/kernel.te, interfaces declared in services/postgresql.if
>>    are invoked.
>> - Unconfined domains cannot invoke user defined functions due to
>>    security reason.
>>
>> In the discussion about conditional type_transiton, I mentioned about
>> a new boolean "sepgsql_unified_type" to turn on/off per-domain types
>> like sepgsql_user_table_t, it is not included in this patch yet.
>>
>> Please review this one.
>> Thanks,
>>
> 
>> Index: refpolicy-sepgsql/policy/modules/kernel/kernel.te
>> ===================================================================
>> --- refpolicy-sepgsql/policy/modules/kernel/kernel.te   (revision 2639)
>> +++ refpolicy-sepgsql/policy/modules/kernel/kernel.te   (working copy)
>> @@ -358,6 +358,17 @@
>>  
>>  ########################################
>>  #
>> +# Unlabeled database objects
>> +#
>> +optional_policy(`
>> +       postgresql_database_object(unlabeled_t)
>> +       postgresql_table_object(unlabeled_t)
>> +       postgresql_procedure_object(unlabeled_t)
>> +       postgresql_blob_object(unlabeled_t)
>> +')
> 
> I think interfaces should be added to kernel.if to allow the appropriate
> access.  It seems that the database would have some access to the
> objects, and then an admin would be able to relabel from unlabeled_t for
> db_database, db_table, etc.
> 
> for example:
> 
> interface(`kernel_relabelfrom_unlabeled_table',`
> 	gen_require(`
> 		type unlabeled_t;
> 		class db_table relabelfrom;
> 	')
> 
> 	allow $1 unlabeled_t:db_table relabelfrom;
> ')

OK,
The previoud policy allows unconfined domain to access invalid context,
but relabeling before using them is fair enough.

In addition, 'update' permission is necessary for db_tuple class, and
'setattr' permission is necessary for any other database classes.

>> Index: refpolicy-sepgsql/policy/modules/services/postgresql.if
>> ===================================================================
>> --- refpolicy-sepgsql/policy/modules/services/postgresql.if     (revision 2639)
>> +++ refpolicy-sepgsql/policy/modules/services/postgresql.if     (working copy)
>> @@ -120,3 +120,228 @@
>>          # Some versions of postgresql put the sock file in /tmp
>>         allow $1 postgresql_tmp_t:sock_file write;
>>  ')
>> +
>> +#######################################
>> +## <summary>
>> +##      The userdomain template for the SE-PostgreSQL.
>> +## </summary>
>> +## <desc>
>> +##      This template creates a delivered types which are used
>> +##     for given userdomains.
>> +## </desc>
>> +## <param name="userdomain_prefix">
>> +##      <summary>
>> +##      The prefix of the user domain (e.g., user
>> +##      is the prefix for user_t).
>> +##      </summary>
>> +## </param>
>> +#
>> +template(`postgresql_userdom_template',`
  - snip -
>> +       ##############################
>> +       #
>> +       # Client local policy
>> +       #
>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_table     sepgsql_$1_table_t;
>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_$1_proc_t;
>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_blob      sepgsql_$1_blob_t;
>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_sysobj_t      : db_tuple     sepgsql_$1_sysobj_t;
> 
> This should probably transition even if its unconfined.  If a user
> starts out unconfined and then the admin later decides the user should
> be confined, the user will lose access to its object, right?

No. In this case, a new confined user can access to its object if it was
not explicitly relabeled.
The default type of db_table class created by unconfined users is sepgsql_table_t.
Any confined users can also access to them with restricted permissions.

>> +       tunable_policy(`sepgsql_enable_users_ddl',`
>> +               allow $1_t sepgsql_$1_table_t  : db_table { create drop };
>> +               allow $1_t sepgsql_$1_table_t  : db_column { create drop };
>> +               allow $1_t sepgsql_$1_sysobj_t : db_tuple { update insert delete };
>> +       ')
>> +
>> +       allow $1_t sepgsql_$1_table_t  : db_table  { getattr setattr use select update insert delete };
>> +       allow $1_t sepgsql_$1_table_t  : db_column { getattr setattr use select update insert };
>> +       allow $1_t sepgsql_$1_table_t  : db_tuple  { use select update insert delete };
>> +       allow $1_t sepgsql_$1_sysobj_t : db_tuple  { use select };
>> +
>> +       allow $1_t sepgsql_$1_proc_t : db_procedure { create drop getattr setattr execute };
>> +
>> +       allow $1_t sepgsql_$1_blob_t : db_blob { create drop getattr setattr read write };
>> +
>> +       # Trusted Procedure
>> +       role $1_r types sepgsql_trusted_domain_t;
>> +')
> 
> Seems that this should have 3 parameters, just like per-role templates.
> Then $1_t becomes $2 and $1_r becomes $3.

OK,

>> --- refpolicy-sepgsql/policy/modules/services/postgresql.te     (revision 2639)
>> +++ refpolicy-sepgsql/policy/modules/services/postgresql.te     (working copy)
>> @@ -166,3 +166,178 @@
>>  optional_policy(`
>>         udev_read_db(postgresql_t)
>>  ')
>> +
>> +#################################
>> +#
>> +# SE-PostgreSQL Boolean declarations
>> +#
>> +
>> +## <desc>
>> +## <p>
>> +## Allow unprived users to execute DDL statement
>> +## </p>
>> +## </desc>
>> +gen_tunable(sepgsql_enable_users_ddl, true)
>> +
>> +#################################
>> +#
>> +# SE-PostgreSQL Type/Attribute declarations
>> +#
>> +
>> +# database subjects
>> +attribute sepgsql_client_type;
>> +attribute sepgsql_unconfined_type;
>> +attribute sepgsql_userdom_type;
  - snip -
>> +type sepgsql_ro_blob_t;
>> +postgresql_blob_object(sepgsql_ro_blob_t)
>> +type sepgsql_secret_blob_t;
>> +postgresql_blob_object(sepgsql_secret_blob_t)
> 
> The declarations should be moved up with the other declarations in this
> file.

OK,

>> +########################################
>> +#
>> +# SE-PostgreSQL unpriv-Client domain local policy
>> +#                    (sepgsql_client_type)
>> +
>> +allow sepgsql_client_type sepgsql_db_t : db_database { getattr access get_param set_param};
 - snip -
>> +# call trusted procedure
>> +type_transition sepgsql_client_type sepgsql_trusted_proc_t : process sepgsql_trusted_domain_t;
>> +allow sepgsql_client_type sepgsql_trusted_domain_t : process { transition };
>> +
>> +# type transitions for rest of domains
>> +type_transition sepgsql_client_type postgresql_t : db_database sepgsql_db_t;
> 
> Seems like this type_transition should go in the above
> sepgsql_enable_users_ddl tunable.

This type_transition rule also covers unconfined domains, and confined users
cannot define a new database always.
Thus, it is not necessary to be conditional.

>> +type_transition { sepgsql_client_type - sepgsql_unconfined_type - sepgsql_userdom_type } sepgsql_database_type : db_table sepgsql_table_t;
>> +type_transition { sepgsql_client_type - sepgsql_unconfined_type - sepgsql_userdom_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
>> +type_transition { sepgsql_client_type - sepgsql_unconfined_type - sepgsql_userdom_type } sepgsql_database_type : db_blob sepgsql_blob_t;
> 
> Is the negation here to prevent type_transition conflicts/duplicates?

Yes.
sepgsql_client_type is a set of any client domain to connect SE-PostgreSQL.
sepgsql_unconfined_type and sepgsql_userdom_type are a subset of this,
and they can contain their intersection.
(E.g unconfined_t is a unconfined domain, but it also has user domain prefix.)

> It seems that if the user template is instantiated, then it should
> already have all the access that a client might have.  I'm still
> thinking about it, but we might want to just drop the type transition
> out of the unconfined section and just require that something that is
> unconfined should be either a client or userdom too, to make the the
> type_transitions are correct.

In this policy, sepgsql_client_type is also given minimum set of permissions

+interface(`postgresql_unconfined',`
+       gen_require(`
+               attribute sepgsql_unconfined_type;
+               attribute sepgsql_client_type;
+       ')
+       typeattribute $1 sepgsql_unconfined_type;
+       typeattribute $1 sepgsql_client_type;
+')

It is a relic when unconfined domain is conditional, unnecessary now.
It does not need to invoke trusted procedure when unconfined domain
is persistent, and unconfined domain will not need to be within userdom
because its does not create objects with any user prefix.

> This whole section should probably just go into postgresql_client() and
> then the attribute could be dropped.

However, I want remain sepgsql_client_type to mark domains as a client
of SE-PostgreSQL, with separating from minimum set of permissions.
It enables to describe user defined policy easier.
(Like auditallow switch for debugging.)

>> +########################################
>> +#
>> +# SE-PostgreSQL Misc policies
>> +#
>> +
>> +# Trusted Procedure Domain
>> +domain_type(sepgsql_trusted_domain_t)
>> +postgresql_unconfined(sepgsql_trusted_domain_t)
>> +role system_r types sepgsql_trusted_domain_t;
> 
> This declaration should go with the others.  sepgsql_trusted_proc_t
> seems like a better type name.

sepgsql_trusted_proc_t is a type of sql function already used....

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[KaiGai Kohei]

>> It seems that if the user template is instantiated, then it should
>> already have all the access that a client might have.  I'm still
>> thinking about it, but we might want to just drop the type transition
>> out of the unconfined section and just require that something that is
>> unconfined should be either a client or userdom too, to make the the
>> type_transitions are correct.
> 
> In this policy, sepgsql_client_type is also given minimum set of permissions
> 
> +interface(`postgresql_unconfined',`
> +       gen_require(`
> +               attribute sepgsql_unconfined_type;
> +               attribute sepgsql_client_type;
> +       ')
> +       typeattribute $1 sepgsql_unconfined_type;
> +       typeattribute $1 sepgsql_client_type;
> +')
> 
> It is a relic when unconfined domain is conditional, unnecessary now.
> It does not need to invoke trusted procedure when unconfined domain
> is persistent, and unconfined domain will not need to be within userdom
> because its does not create objects with any user prefix.
> 
>> This whole section should probably just go into postgresql_client() and
>> then the attribute could be dropped.
> 
> However, I want remain sepgsql_client_type to mark domains as a client
> of SE-PostgreSQL, with separating from minimum set of permissions.
> It enables to describe user defined policy easier.
> (Like auditallow switch for debugging.)

Oops, if whole of section is moved to postgresql_client(), we have to put
sepgsql_enable_users_ddl tunable section within interface.

How do you think the following idea?
1. type_transition rules are moved to postgresql_client() or
   postgresql_userdom_template().
   (sepgsql_db_t is an exception. It's common for any client)
2. a new attribute sepgsql_unpriv_client_type gives a set of
   baseline permissions, including sepgsql_enable_users_ddl
   tunable.
 --> It means any client domain belongs to sepgsql_client_type
     and either sepgsql_unconfined_type or sepgsql_unpriv_client_type.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[Christopher J. PeBenito]

On Fri, 2008-03-21 at 13:32 +0900, KaiGai Kohei wrote:
> Chris, Thanks for your reviewing.
> 
> Rest of comments are bellow.
> 
> Christopher J. PeBenito wrote:
> > On Mon, 2008-03-17 at 18:31 +0900, Kohei KaiGai wrote:
> >> The attached patch provides revised SE-PostgreSQL policy.

> >> +template(`postgresql_userdom_template',`
>   - snip -
> >> +       ##############################
> >> +       #
> >> +       # Client local policy
> >> +       #
> >> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_table     sepgsql_$1_table_t;
> >> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_$1_proc_t;
> >> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_blob      sepgsql_$1_blob_t;
> >> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_sysobj_t      : db_tuple     sepgsql_$1_sysobj_t;

I missed this previously but I just realized that to be consistent with
the rest of the policy the prefix should actually be a prefix, not
infix.  i.e. the types should be like $1_sepgsql_table_t not sepgsql_
$1_table_t.

> > This should probably transition even if its unconfined.  If a user
> > starts out unconfined and then the admin later decides the user should
> > be confined, the user will lose access to its object, right?
> 
> No. In this case, a new confined user can access to its object if it was
> not explicitly relabeled.
> The default type of db_table class created by unconfined users is sepgsql_table_t.
> Any confined users can also access to them with restricted permissions.

I finally realized what the problem with the type_transitions.  You have
many of them to set up the default type for tables, procedures, blobs,
etc.  Shouldn't the default labels just be settings in a config file?
Then all of the complex type transitioning behavior isn't needed.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[KaiGai Kohei]

Christopher J. PeBenito wrote:
> On Fri, 2008-03-21 at 13:32 +0900, KaiGai Kohei wrote:
>> Chris, Thanks for your reviewing.
>>
>> Rest of comments are bellow.
>>
>> Christopher J. PeBenito wrote:
>>> On Mon, 2008-03-17 at 18:31 +0900, Kohei KaiGai wrote:
>>>> The attached patch provides revised SE-PostgreSQL policy.
> 
>>>> +template(`postgresql_userdom_template',`
>>   - snip -
>>>> +       ##############################
>>>> +       #
>>>> +       # Client local policy
>>>> +       #
>>>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_table     sepgsql_$1_table_t;
>>>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_$1_proc_t;
>>>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_blob      sepgsql_$1_blob_t;
>>>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_sysobj_t      : db_tuple     sepgsql_$1_sysobj_t;
> 
> I missed this previously but I just realized that to be consistent with
> the rest of the policy the prefix should actually be a prefix, not
> infix.  i.e. the types should be like $1_sepgsql_table_t not sepgsql_
> $1_table_t.

I want to keep "sepgsql_" as a prefix for types related to SE-PostgreSQL,
because all of them have uniformed naming convention.
Can you consider the head of "sepgsql_" means its assumed object manager,
and we are omitting it for most of types managed by kernel?
I feel that object manager identification should have higher priority than
user domain prefix in naming convention.
In my sense, "kernel_user_home_t" is better than "user_kernel_home_t",
if object manager identification is not omitted.

However, it is just a name. I don't oppose this strongly.

>>> This should probably transition even if its unconfined.  If a user
>>> starts out unconfined and then the admin later decides the user should
>>> be confined, the user will lose access to its object, right?
>> No. In this case, a new confined user can access to its object if it was
>> not explicitly relabeled.
>> The default type of db_table class created by unconfined users is sepgsql_table_t.
>> Any confined users can also access to them with restricted permissions.
> 
> I finally realized what the problem with the type_transitions.  You have
> many of them to set up the default type for tables, procedures, blobs,
> etc.  Shouldn't the default labels just be settings in a config file?
> Then all of the complex type transitioning behavior isn't needed.

I dislike thie option.
It can make harder to find out the cause of trouble came from labeling behavior,
if end users put incorrect configuration. Especially, I don't want to require
database folks additional configuration, because they are not SELinux specialist.
It can be configured in the security policy enough simply, so the default behavior
should be also described in.

In the latest patch, these rules are simpler.
  Domains with template    -> sepgsql_FOO_table_t convention
  Domains without template -> sepgsql_table_t convention
We have no conditional type_transition, negative operations now.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[Christopher J. PeBenito]

On Tue, 2008-03-25 at 19:35 +0900, KaiGai Kohei wrote:
> Christopher J. PeBenito wrote:
> > On Fri, 2008-03-21 at 13:32 +0900, KaiGai Kohei wrote:
> >> Chris, Thanks for your reviewing.
> >>
> >> Rest of comments are bellow.
> >>
> >> Christopher J. PeBenito wrote:
> >>> On Mon, 2008-03-17 at 18:31 +0900, Kohei KaiGai wrote:
> >>>> The attached patch provides revised SE-PostgreSQL policy.
> > 
> >>>> +template(`postgresql_userdom_template',`
> >>   - snip -
> >>>> +       ##############################
> >>>> +       #
> >>>> +       # Client local policy
> >>>> +       #
> >>>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_table     sepgsql_$1_table_t;
> >>>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_$1_proc_t;
> >>>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_blob      sepgsql_$1_blob_t;
> >>>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_sysobj_t      : db_tuple     sepgsql_$1_sysobj_t;
> > 
> > I missed this previously but I just realized that to be consistent with
> > the rest of the policy the prefix should actually be a prefix, not
> > infix.  i.e. the types should be like $1_sepgsql_table_t not sepgsql_
> > $1_table_t.
> 
> I want to keep "sepgsql_" as a prefix for types related to SE-PostgreSQL,
> because all of them have uniformed naming convention.
> Can you consider the head of "sepgsql_" means its assumed object manager,
> and we are omitting it for most of types managed by kernel?
> I feel that object manager identification should have higher priority than
> user domain prefix in naming convention.
> In my sense, "kernel_user_home_t" is better than "user_kernel_home_t",
> if object manager identification is not omitted.
> 
> However, it is just a name. I don't oppose this strongly.

I think we want consistency across the policy in naming.  Determining if
it goes with a userspace object manager can be found based on what
object classes have the label.

> >>> This should probably transition even if its unconfined.  If a user
> >>> starts out unconfined and then the admin later decides the user should
> >>> be confined, the user will lose access to its object, right?
> >> No. In this case, a new confined user can access to its object if it was
> >> not explicitly relabeled.
> >> The default type of db_table class created by unconfined users is sepgsql_table_t.
> >> Any confined users can also access to them with restricted permissions.
> > 
> > I finally realized what the problem with the type_transitions.  You have
> > many of them to set up the default type for tables, procedures, blobs,
> > etc.  Shouldn't the default labels just be settings in a config file?
> > Then all of the complex type transitioning behavior isn't needed.
> 
> I dislike thie option.
> It can make harder to find out the cause of trouble came from labeling behavior,
> if end users put incorrect configuration. Especially, I don't want to require
> database folks additional configuration, because they are not SELinux specialist.
> It can be configured in the security policy enough simply, so the default behavior
> should be also described in.

I think I was a little unclear.  I'm suggesting they go in a file
like /etc/selinux/refpolicy/contexts/postgresql_contexts, not in a
primary config file for postgresql.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[KaiGai Kohei]

Christopher J. PeBenito wrote:
> On Tue, 2008-03-25 at 19:35 +0900, KaiGai Kohei wrote:
>> Christopher J. PeBenito wrote:
>>> On Fri, 2008-03-21 at 13:32 +0900, KaiGai Kohei wrote:
>>>> Chris, Thanks for your reviewing.
>>>>
>>>> Rest of comments are bellow.
>>>>
>>>> Christopher J. PeBenito wrote:
>>>>> On Mon, 2008-03-17 at 18:31 +0900, Kohei KaiGai wrote:
>>>>>> The attached patch provides revised SE-PostgreSQL policy.
>>>>>> +template(`postgresql_userdom_template',`
>>>>   - snip -
>>>>>> +       ##############################
>>>>>> +       #
>>>>>> +       # Client local policy
>>>>>> +       #
>>>>>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_table     sepgsql_$1_table_t;
>>>>>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_$1_proc_t;
>>>>>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_blob      sepgsql_$1_blob_t;
>>>>>> +       type_transition { $1_t - sepgsql_unconfined_type } sepgsql_sysobj_t      : db_tuple     sepgsql_$1_sysobj_t;
>>> I missed this previously but I just realized that to be consistent with
>>> the rest of the policy the prefix should actually be a prefix, not
>>> infix.  i.e. the types should be like $1_sepgsql_table_t not sepgsql_
>>> $1_table_t.
>> I want to keep "sepgsql_" as a prefix for types related to SE-PostgreSQL,
>> because all of them have uniformed naming convention.
>> Can you consider the head of "sepgsql_" means its assumed object manager,
>> and we are omitting it for most of types managed by kernel?
>> I feel that object manager identification should have higher priority than
>> user domain prefix in naming convention.
>> In my sense, "kernel_user_home_t" is better than "user_kernel_home_t",
>> if object manager identification is not omitted.
>>
>> However, it is just a name. I don't oppose this strongly.
> 
> I think we want consistency across the policy in naming.  Determining if
> it goes with a userspace object manager can be found based on what
> object classes have the label.

OK, I'll change the previous naming convention.

>>>>> This should probably transition even if its unconfined.  If a user
>>>>> starts out unconfined and then the admin later decides the user should
>>>>> be confined, the user will lose access to its object, right?
>>>> No. In this case, a new confined user can access to its object if it was
>>>> not explicitly relabeled.
>>>> The default type of db_table class created by unconfined users is sepgsql_table_t.
>>>> Any confined users can also access to them with restricted permissions.
>>> I finally realized what the problem with the type_transitions.  You have
>>> many of them to set up the default type for tables, procedures, blobs,
>>> etc.  Shouldn't the default labels just be settings in a config file?
>>> Then all of the complex type transitioning behavior isn't needed.
>> I dislike thie option.
>> It can make harder to find out the cause of trouble came from labeling behavior,
>> if end users put incorrect configuration. Especially, I don't want to require
>> database folks additional configuration, because they are not SELinux specialist.
>> It can be configured in the security policy enough simply, so the default behavior
>> should be also described in.
> 
> I think I was a little unclear.  I'm suggesting they go in a file
> like /etc/selinux/refpolicy/contexts/postgresql_contexts, not in a
> primary config file for postgresql.

Yes, I have same implementation image as you suggested.

However, I don't want to add this kind of stuff although it can be described
within the security policy, because it provides us uncertainties on SE-PostgreSQL
behavior. It shall make harder to find out the cause of trouble came from labeling
matter as I said before.

I want to ask it again.
Do you consider they are really complex type_transition rules now?
They are not conditional, not set operations.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[Christopher J. PeBenito]

On Thu, 2008-03-27 at 18:52 +0900, KaiGai Kohei wrote:
> Christopher J. PeBenito wrote:
> > On Tue, 2008-03-25 at 19:35 +0900, KaiGai Kohei wrote:
> >> Christopher J. PeBenito wrote:

> >>> I finally realized what the problem with the type_transitions.  You have
> >>> many of them to set up the default type for tables, procedures, blobs,
> >>> etc.  Shouldn't the default labels just be settings in a config file?
> >>> Then all of the complex type transitioning behavior isn't needed.
> >> I dislike thie option.
> >> It can make harder to find out the cause of trouble came from labeling behavior,
> >> if end users put incorrect configuration. Especially, I don't want to require
> >> database folks additional configuration, because they are not SELinux specialist.
> >> It can be configured in the security policy enough simply, so the default behavior
> >> should be also described in.
> > 
> > I think I was a little unclear.  I'm suggesting they go in a file
> > like /etc/selinux/refpolicy/contexts/postgresql_contexts, not in a
> > primary config file for postgresql.
> 
> Yes, I have same implementation image as you suggested.
> 
> However, I don't want to add this kind of stuff although it can be described
> within the security policy, because it provides us uncertainties on SE-PostgreSQL
> behavior. It shall make harder to find out the cause of trouble came from labeling
> matter as I said before.

I'm not very compelled by this argument because its well understood that
these *_contexts files should match the policy otherwise you get unknown
behavior.

> Do you consider they are really complex type_transition rules now?
> They are not conditional, not set operations.

Sounds like they are ok, but I'd have to see the policy to make sure.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 1445 bytes --]

>> Do you consider they are really complex type_transition rules now?
>> They are not conditional, not set operations.
> 
> Sounds like they are ok, but I'd have to see the policy to make sure.

I'm sorry, I din't submit the latest one yet, although I gave assurance
to update some points you pointed out.

The attached one is the latest one.
Please confirm this version.

Significant updates:
- kernel_relabelfrom_unlabeled_database() is added to kernel/kernel.if.
   It enables sepgsql_unconfined_type to relabel unlabaled_t to other types.
- Any types/attributes/booleans are declared at the head of services/postgresql.te.
- postgresql_userdom_template() requires tree arguments of prefix, domain and role.
- Naming convention is changed. When userdomain tries to create a new object,
   it is labeled as FOO_sepgsql_table_t, not sepgsql_FOO_table_t.
- The target of type_transition is unconditional.
   If userdomain create a new objects, it is always labeled as FOO_sepgsql_xxx_t.
   If others create a new one, it is always labeled as sepgsql_xxx_t.
- A new attribute of sepgsql_unpriv_client_type provides baseline permissions to
   attached domain. It is necessary to avoid to deploy sepgsql_enable_users_ddl
   boolean within interfaces.
- The meanings of sepgsql_client_type is changed. It means a set of domains
   connectable to SE-PostgreSQL.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: refpolicy-sepostgresql.5.patch --]
[-- Type: text/x-patch, Size: 20897 bytes --]

Index: refpolicy-sepgsql/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy-sepgsql/policy/modules/kernel/kernel.if	(revision 2647)
+++ refpolicy-sepgsql/policy/modules/kernel/kernel.if	(working copy)
@@ -2493,6 +2493,35 @@
 
 ########################################
 ## <summary>
+##      Relabelfrom unlabeled database objects of SE-PostgreSQL
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_database',`
+	gen_require(`
+		type unlabeled_t;
+
+		class db_database { setattr relabelfrom };
+		class db_table { setattr relabelfrom };
+		class db_procedure { setattr relabelfrom };
+		class db_column { setattr relabelfrom };
+		class db_tuple { update relabelfrom };
+		class db_blob { setattr relabelfrom };
+	')
+	allow $1 unlabeled_t:db_database { setattr relabelfrom };
+	allow $1 unlabeled_t:db_table { setattr relabelfrom };
+	allow $1 unlabeled_t:db_procedure { setattr relabelfrom };
+	allow $1 unlabeled_t:db_column { setattr relabelfrom };
+	allow $1 unlabeled_t:db_tuple { update relabelfrom };
+	allow $1 unlabeled_t:db_blob { setattr relabelfrom };
+')
+
+########################################
+## <summary>
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-sepgsql/policy/modules/services/postgresql.if
===================================================================
--- refpolicy-sepgsql/policy/modules/services/postgresql.if	(revision 2647)
+++ refpolicy-sepgsql/policy/modules/services/postgresql.if	(working copy)
@@ -120,3 +120,264 @@
         # Some versions of postgresql put the sock file in /tmp
 	allow $1 postgresql_tmp_t:sock_file write;
 ')
+
+#######################################
+## <summary>
+##      The userdomain template for the SE-PostgreSQL.
+## </summary>
+## <desc>
+##      This template creates a delivered types which are used
+##	for given userdomains.
+## </desc>
+## <param name="userdomain_prefix">
+##      <summary>
+##      The prefix of the user domain (e.g., user
+##      is the prefix for user_t).
+##      </summary>
+## </param>
+## <param name="user_domain">
+## 	<summary>
+##      The type of the user domain.
+##      </summary>
+## </param>
+## <param name="user_role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+#
+template(`postgresql_userdom_template',`
+	gen_require(`
+		class db_database all_db_database_perms;
+		class db_table all_db_table_perms;
+		class db_procedure all_db_procedure_perms;
+		class db_column all_db_column_perms;
+		class db_tuple all_db_tuple_perms;
+		class db_blob all_db_blob_perms;
+
+		attribute sepgsql_client_type;
+		attribute sepgsql_unpriv_client_type;
+		attribute sepgsql_database_type;
+		attribute sepgsql_sysobj_table_type;
+
+		type sepgsql_trusted_proc_t;
+		type sepgsql_trusted_domain_t;
+
+		bool sepgsql_enable_users_ddl;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	typeattribute $2 sepgsql_client_type;
+	typeattribute $2 sepgsql_unpriv_client_type;
+
+	type $1_sepgsql_table_t;
+	postgresql_table_object($1_sepgsql_table_t)
+
+	type $1_sepgsql_sysobj_t;
+	postgresql_system_table_object($1_sepgsql_sysobj_t)
+
+	type $1_sepgsql_proc_t;
+	postgresql_procedure_object($1_sepgsql_proc_t)
+
+	type $1_sepgsql_blob_t;
+	postgresql_blob_object($1_sepgsql_blob_t)
+
+	##############################
+	#
+	# Client local policy
+	#
+	tunable_policy(`sepgsql_enable_users_ddl',`
+		allow $2 $1_sepgsql_table_t  : db_table { create drop };
+		allow $2 $1_sepgsql_table_t  : db_column { create drop };
+		allow $2 $1_sepgsql_sysobj_t : db_tuple { update insert delete };
+	')
+
+	allow $2 $1_sepgsql_table_t  : db_table  { getattr setattr use select update insert delete };
+	allow $2 $1_sepgsql_table_t  : db_column { getattr setattr use select update insert };
+	allow $2 $1_sepgsql_table_t  : db_tuple  { use select update insert delete };
+	allow $2 $1_sepgsql_sysobj_t : db_tuple  { use select };
+
+	allow $2 $1_sepgsql_proc_t : db_procedure { create drop getattr setattr execute };
+
+	allow $2 $1_sepgsql_blob_t : db_blob { create drop getattr setattr read write };
+
+	##############################
+	#
+	# Type/Domain Transition
+	#
+	type_transition $2 sepgsql_database_type     : db_table     $1_sepgsql_table_t;
+	type_transition $2 sepgsql_database_type     : db_procedure $1_sepgsql_proc_t;
+	type_transition $2 sepgsql_database_type     : db_blob      $1_sepgsql_blob_t;
+	type_transition $2 sepgsql_sysobj_table_type : db_tuple     $1_sepgsql_sysobj_t;
+
+	type_transition $2 sepgsql_trusted_proc_t: process sepgsql_trusted_domain_t;
+	allow $2 sepgsql_trusted_domain_t : process { transition };
+	role $3 types sepgsql_trusted_domain_t;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain unconfined accesses to any database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`postgresql_unconfined',`
+	gen_require(`
+		attribute sepgsql_unconfined_type;
+		attribute sepgsql_client_type;
+	')
+	typeattribute $1 sepgsql_unconfined_type;
+	typeattribute $1 sepgsql_client_type;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain unprivileged accesses to unifined database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`postgresql_unpriv_client',`
+	gen_require(`
+		class db_table all_db_table_perms;
+		class db_procedure all_db_procedure_perms;
+		class db_blob all_db_blob_perms;
+
+		attribute sepgsql_unpriv_client_type;
+		attribute sepgsql_client_type;
+		attribute sepgsql_database_type;
+
+		type sepgsql_table_t;
+		type sepgsql_proc_t;
+		type sepgsql_blob_t;
+
+		type sepgsql_trusted_proc_t;
+		type sepgsql_trusted_domain_t;
+	')
+	typeattribute $1 sepgsql_unpriv_client_type;
+	typeattribute $1 sepgsql_client_type;
+
+	type_transition $1 sepgsql_database_type : db_table sepgsql_table_t;
+	type_transition $1 sepgsql_database_type : db_procedure sepgsql_proc_t;
+	type_transition $1 sepgsql_database_type : db_blob sepgsql_blob_t;
+
+	type_transition $1 sepgsql_trusted_proc_t : process sepgsql_trusted_domain_t;
+	allow $1 sepgsql_trusted_domain_t : process { transition };
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL loadable shared library module
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_loadable_module',`
+	gen_require(`
+		attribute sepgsql_module_type;
+	')
+	typeattribute $1 sepgsql_module_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL database object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_database_object',`
+	gen_require(`
+		attribute sepgsql_database_type;
+	')
+	typeattribute $1 sepgsql_database_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL table/column/tuple object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a table/column/tuple object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_table_object',`
+	gen_require(`
+		attribute sepgsql_table_type;
+	')
+	typeattribute $1 sepgsql_table_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL system table/column/tuple object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a table/column/tuple object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_system_table_object',`
+	gen_require(`
+		attribute sepgsql_table_type;
+		attribute sepgsql_sysobj_table_type;
+	')
+	typeattribute $1 sepgsql_table_type;
+	typeattribute $1 sepgsql_sysobj_table_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL procedure object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_procedure_object',`
+	gen_require(`
+		attribute sepgsql_procedure_type;
+	')
+	typeattribute $1 sepgsql_procedure_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL binary large object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database binary large object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_blob_object',`
+	gen_require(`
+		attribute sepgsql_blob_type;
+	')
+	typeattribute $1 sepgsql_blob_type;
+')
Index: refpolicy-sepgsql/policy/modules/services/apache.te
===================================================================
--- refpolicy-sepgsql/policy/modules/services/apache.te	(revision 2647)
+++ refpolicy-sepgsql/policy/modules/services/apache.te	(working copy)
@@ -479,6 +479,8 @@
 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
 	')
+
+	postgresql_unpriv_client(httpd_t)
 ')
 
 optional_policy(`
Index: refpolicy-sepgsql/policy/modules/services/apache.if
===================================================================
--- refpolicy-sepgsql/policy/modules/services/apache.if	(revision 2647)
+++ refpolicy-sepgsql/policy/modules/services/apache.if	(working copy)
@@ -226,6 +226,10 @@
 	')
 
 	optional_policy(`
+		postgresql_unpriv_client(httpd_$1_script_t)
+	')
+
+	optional_policy(`
 		nscd_socket_use(httpd_$1_script_t)
 	')
 ')
Index: refpolicy-sepgsql/policy/modules/services/postgresql.te
===================================================================
--- refpolicy-sepgsql/policy/modules/services/postgresql.te	(revision 2647)
+++ refpolicy-sepgsql/policy/modules/services/postgresql.te	(working copy)
@@ -27,6 +27,61 @@
 type postgresql_var_run_t;
 files_pid_file(postgresql_var_run_t)
 
+#################################
+#
+# Declarations related to SE-PostgreSQL
+#
+
+## <desc>
+## <p>
+## Allow unprived users to execute DDL statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_users_ddl, true)
+
+# database clients attribute
+attribute sepgsql_client_type;
+attribute sepgsql_unconfined_type;
+attribute sepgsql_unpriv_client_type;
+
+# database objects attribute
+attribute sepgsql_database_type;
+attribute sepgsql_table_type;
+attribute sepgsql_sysobj_table_type;
+attribute sepgsql_procedure_type;
+attribute sepgsql_blob_type;
+attribute sepgsql_module_type;
+
+# database trusted domain
+type sepgsql_trusted_domain_t;
+
+# database object types
+type sepgsql_db_t;
+postgresql_database_object(sepgsql_db_t)
+
+type sepgsql_table_t;
+postgresql_table_object(sepgsql_table_t)
+type sepgsql_sysobj_t;
+postgresql_system_table_object(sepgsql_sysobj_t)
+type sepgsql_secret_table_t;
+postgresql_table_object(sepgsql_secret_table_t)
+type sepgsql_ro_table_t;
+postgresql_table_object(sepgsql_ro_table_t)
+type sepgsql_fixed_table_t;
+postgresql_table_object(sepgsql_fixed_table_t)
+
+type sepgsql_proc_t;
+postgresql_procedure_object(sepgsql_proc_t)
+type sepgsql_trusted_proc_t;
+postgresql_procedure_object(sepgsql_trusted_proc_t)
+
+type sepgsql_blob_t;
+postgresql_blob_object(sepgsql_blob_t)
+type sepgsql_ro_blob_t;
+postgresql_blob_object(sepgsql_ro_blob_t)
+type sepgsql_secret_blob_t;
+postgresql_blob_object(sepgsql_secret_blob_t)
+
 ########################################
 #
 # postgresql Local policy
@@ -166,3 +221,109 @@
 optional_policy(`
 	udev_read_db(postgresql_t)
 ')
+
+########################################
+#
+# SE-PostgreSQL Server Local policy
+#                    (postgresql_t)
+
+allow postgresql_t self : netlink_selinux_socket create_socket_perms;
+selinux_get_fs_mount(postgresql_t)
+selinux_get_enforce_mode(postgresql_t)
+selinux_validate_context(postgresql_t)
+selinux_compute_access_vector(postgresql_t)
+selinux_compute_create_context(postgresql_t)
+selinux_compute_relabel_context(postgresql_t)
+
+allow postgresql_t sepgsql_database_type : db_database *;
+allow postgresql_t sepgsql_module_type : db_database { install_module };
+allow postgresql_t sepgsql_table_type : { db_table db_column db_tuple } *;
+allow postgresql_t sepgsql_procedure_type : db_procedure *;
+allow postgresql_t sepgsql_blob_type : db_blob *;
+
+# server specific type transitions
+type_transition postgresql_t sepgsql_database_type : db_table sepgsql_sysobj_t;
+type_transition postgresql_t sepgsql_database_type : db_procedure sepgsql_proc_t;
+type_transition postgresql_t sepgsql_database_type : db_blob sepgsql_blob_t;
+
+########################################
+#
+# SE-PostgreSQL unconfined domain local policy
+#                    (sepgsql_unconfined_type)
+
+allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
+allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
+allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
+allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t } : db_procedure *;
+allow sepgsql_unconfined_type sepgsql_procedure_type : db_procedure { create drop getattr setattr relabelfrom relabelto };
+allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
+allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
+
+optional_policy(`
+	kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
+')
+
+type_transition sepgsql_unconfined_type sepgsql_database_type : db_table sepgsql_table_t;
+type_transition sepgsql_unconfined_type sepgsql_database_type : db_procedure sepgsql_proc_t;
+type_transition sepgsql_unconfined_type sepgsql_database_type : db_blob sepgsql_blob_t;
+
+########################################
+#
+# SE-PostgreSQL unpriv-Client domain local policy
+#                    (sepgsql_unpriv_client_type)
+
+allow sepgsql_unpriv_client_type sepgsql_db_t : db_database { getattr access get_param set_param};
+
+allow sepgsql_unpriv_client_type sepgsql_table_t : db_table { getattr use select update insert delete };
+allow sepgsql_unpriv_client_type sepgsql_table_t : db_column { getattr use select update insert };
+allow sepgsql_unpriv_client_type sepgsql_table_t : db_tuple { use select update insert delete };
+
+tunable_policy(`sepgsql_enable_users_ddl',`
+	allow sepgsql_unpriv_client_type sepgsql_table_t  : db_table  { create drop setattr };
+	allow sepgsql_unpriv_client_type sepgsql_table_t  : db_column { create drop setattr };
+	allow sepgsql_unpriv_client_type sepgsql_sysobj_t : db_tuple  { update insert delete };
+')
+
+allow sepgsql_unpriv_client_type sepgsql_sysobj_t : db_table { getattr use select };
+allow sepgsql_unpriv_client_type sepgsql_sysobj_t : db_column { getattr use select };
+allow sepgsql_unpriv_client_type sepgsql_sysobj_t : db_tuple { use select };
+
+allow sepgsql_unpriv_client_type sepgsql_secret_table_t : db_table { getattr };
+allow sepgsql_unpriv_client_type sepgsql_secret_table_t : db_column { getattr };
+
+allow sepgsql_unpriv_client_type sepgsql_ro_table_t : db_table { getattr use select };
+allow sepgsql_unpriv_client_type sepgsql_ro_table_t : db_column { getattr use select };
+allow sepgsql_unpriv_client_type sepgsql_ro_table_t : db_tuple { use select };
+
+allow sepgsql_unpriv_client_type sepgsql_fixed_table_t : db_table { getattr use select insert };
+allow sepgsql_unpriv_client_type sepgsql_fixed_table_t : db_column { getattr use select insert };
+allow sepgsql_unpriv_client_type sepgsql_fixed_table_t : db_tuple { use select insert };
+
+allow sepgsql_unpriv_client_type sepgsql_proc_t : db_procedure { getattr execute };
+allow sepgsql_unpriv_client_type sepgsql_trusted_proc_t : db_procedure { getattr execute entrypoint };
+
+allow sepgsql_unpriv_client_type sepgsql_blob_t : db_blob { create drop getattr setattr read write };
+allow sepgsql_unpriv_client_type sepgsql_ro_blob_t : db_blob { getattr read };
+allow sepgsql_unpriv_client_type sepgsql_secret_blob_t : db_blob { getattr };
+
+########################################
+#
+# SE-PostgreSQL Misc policies
+#
+
+# Type Transition for database object
+type_transition { postgresql_t sepgsql_client_type } postgresql_t : db_database sepgsql_db_t;
+
+# Trusted Procedure Domain
+domain_type(sepgsql_trusted_domain_t)
+postgresql_unconfined(sepgsql_trusted_domain_t)
+role system_r types sepgsql_trusted_domain_t;
+
+# Database/Loadable module
+allow sepgsql_database_type sepgsql_module_type : db_database { load_module };
+
+# Don't audit deny logs in row-level access control
+dontaudit sepgsql_client_type { sepgsql_table_type - sepgsql_sysobj_table_type } : db_tuple *;
+
+# Client domain constraint
+neverallow ~{ postgresql_t sepgsql_client_type } sepgsql_database_type : db_database { access };
Index: refpolicy-sepgsql/policy/modules/services/postgresql.fc
===================================================================
--- refpolicy-sepgsql/policy/modules/services/postgresql.fc	(revision 2647)
+++ refpolicy-sepgsql/policy/modules/services/postgresql.fc	(working copy)
@@ -6,8 +6,9 @@
 #
 # /usr
 #
-/usr/bin/initdb			--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/initdb(\.sepgsql)?	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/(se)?postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/sepg_ctl		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /usr/lib/pgsql/test/regres(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
 /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
@@ -30,8 +31,12 @@
 /var/lib/pgsql/data(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
 /var/lib/pgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)
 
+/var/lib/sepgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/sepgsql/pgstartup\.log	--	gen_context(system_u:object_r:postgresql_log_t,s0)
+
 /var/log/postgres\.log.* 	--	gen_context(system_u:object_r:postgresql_log_t,s0)
 /var/log/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/sepostgresql\.log.*	--	gen_context(system_u:object_r:postgresql_log_t,s0)
 
 ifdef(`distro_redhat', `
 /var/log/rhdb/rhdb(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
Index: refpolicy-sepgsql/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-sepgsql/policy/modules/system/userdomain.if	(revision 2647)
+++ refpolicy-sepgsql/policy/modules/system/userdomain.if	(working copy)
@@ -1201,6 +1201,10 @@
 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')
 
+	optional_policy(`
+		postgresql_userdom_template($1,$1_t,$1_r)
+	')
+
 	# Run pppd in pppd_t by default for user
 	optional_policy(`
 		ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@@ -1371,6 +1375,10 @@
 	')
 
 	optional_policy(`
+		postgresql_unconfined($1_t)
+	')
+
+	optional_policy(`
 		userhelper_exec($1_t)
 	')
 ')
Index: refpolicy-sepgsql/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-sepgsql/policy/modules/system/unconfined.te	(revision 2647)
+++ refpolicy-sepgsql/policy/modules/system/unconfined.te	(working copy)
@@ -189,6 +189,10 @@
 ')
 
 optional_policy(`
+	postgresql_unconfined(unconfined_t)
+')
+
+optional_policy(`
 	tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 
Index: refpolicy-sepgsql/policy/modules/system/libraries.te
===================================================================
--- refpolicy-sepgsql/policy/modules/system/libraries.te	(revision 2647)
+++ refpolicy-sepgsql/policy/modules/system/libraries.te	(working copy)
@@ -109,3 +109,8 @@
 	# blow up.
 	rpm_manage_script_tmp_files(ldconfig_t)
 ')
+
+optional_policy(`
+	postgresql_loadable_module(lib_t)
+	postgresql_loadable_module(textrel_shlib_t)
+')
Index: refpolicy-sepgsql/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-sepgsql/policy/modules/system/unconfined.if	(revision 2647)
+++ refpolicy-sepgsql/policy/modules/system/unconfined.if	(working copy)
@@ -88,6 +88,10 @@
 	')
 
 	optional_policy(`
+		postgresql_unconfined($1)
+	')
+
+	optional_policy(`
 		seutil_create_bin_policy($1)
 		seutil_relabelto_bin_policy($1)
 	')

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[Christopher J. PeBenito]

[-- Attachment #1: Type: text/plain, Size: 2163 bytes --]

On Fri, 2008-03-28 at 13:50 +0900, KaiGai Kohei wrote:
> >> Do you consider they are really complex type_transition rules now?
> >> They are not conditional, not set operations.
> > 
> > Sounds like they are ok, but I'd have to see the policy to make sure.
> 
> I'm sorry, I din't submit the latest one yet, although I gave assurance
> to update some points you pointed out.
> 
> The attached one is the latest one.
> Please confirm this version.
> 
> Significant updates:
> - kernel_relabelfrom_unlabeled_database() is added to kernel/kernel.if.
>    It enables sepgsql_unconfined_type to relabel unlabaled_t to other types.
> - Any types/attributes/booleans are declared at the head of services/postgresql.te.
> - postgresql_userdom_template() requires tree arguments of prefix, domain and role.
> - Naming convention is changed. When userdomain tries to create a new object,
>    it is labeled as FOO_sepgsql_table_t, not sepgsql_FOO_table_t.
> - The target of type_transition is unconditional.
>    If userdomain create a new objects, it is always labeled as FOO_sepgsql_xxx_t.
>    If others create a new one, it is always labeled as sepgsql_xxx_t.
> - A new attribute of sepgsql_unpriv_client_type provides baseline permissions to
>    attached domain. It is necessary to avoid to deploy sepgsql_enable_users_ddl
>    boolean within interfaces.
> - The meanings of sepgsql_client_type is changed. It means a set of domains
>    connectable to SE-PostgreSQL.

I'd like to wrap this one up, so I spent some time revising the patch
(attached).  Its just about ready to merge.  Is the neverallow really
needed?  Also, I'd still strongly urge you to reconsider adding the
postgresql_contexts file with the default object labels.  I think this
is the clearest example why:

type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;

What object is being transitioned on?  Other type transitions are
clearer: a file being created in a directory or a message enqueued to a
message queue.  I won't block merging the policy over this, but I think
the postgresql_contexts is the better method.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


[-- Attachment #2: sepgsql.diff --]
[-- Type: text/x-patch, Size: 21806 bytes --]

Index: policy/modules/kernel/kernel.if
===================================================================
--- policy/modules/kernel/kernel.if	(revision 2659)
+++ policy/modules/kernel/kernel.if	(working copy)
@@ -2492,6 +2492,35 @@
 
 ########################################
 ## <summary>
+##      Relabelfrom unlabeled database objects of SE-PostgreSQL
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_database',`
+	gen_require(`
+		type unlabeled_t;
+
+		class db_database { setattr relabelfrom };
+		class db_table { setattr relabelfrom };
+		class db_procedure { setattr relabelfrom };
+		class db_column { setattr relabelfrom };
+		class db_tuple { update relabelfrom };
+		class db_blob { setattr relabelfrom };
+	')
+	allow $1 unlabeled_t:db_database { setattr relabelfrom };
+	allow $1 unlabeled_t:db_table { setattr relabelfrom };
+	allow $1 unlabeled_t:db_procedure { setattr relabelfrom };
+	allow $1 unlabeled_t:db_column { setattr relabelfrom };
+	allow $1 unlabeled_t:db_tuple { update relabelfrom };
+	allow $1 unlabeled_t:db_blob { setattr relabelfrom };
+')
+
+########################################
+## <summary>
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
Index: policy/modules/services/postgresql.if
===================================================================
--- policy/modules/services/postgresql.if	(revision 2614)
+++ policy/modules/services/postgresql.if	(working copy)
@@ -1,7 +1,210 @@
 ## <summary>PostgreSQL relational database</summary>
 
+#######################################
+## <summary>
+##      The userdomain template for the SE-PostgreSQL.
+## </summary>
+## <desc>
+##      This template creates a delivered types which are used
+##	for given userdomains.
+## </desc>
+## <param name="userdomain_prefix">
+##      <summary>
+##      The prefix of the user domain (e.g., user
+##      is the prefix for user_t).
+##      </summary>
+## </param>
+## <param name="user_domain">
+## 	<summary>
+##      The type of the user domain.
+##      </summary>
+## </param>
+## <param name="user_role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+#
+template(`postgresql_userdom_template',`
+	gen_require(`
+		class db_database all_db_database_perms;
+		class db_table all_db_table_perms;
+		class db_procedure all_db_procedure_perms;
+		class db_column all_db_column_perms;
+		class db_tuple all_db_tuple_perms;
+		class db_blob all_db_blob_perms;
+
+		attribute sepgsql_client_type;
+		attribute sepgsql_database_type;
+		attribute sepgsql_sysobj_table_type;
+
+		type sepgsql_trusted_proc_t;
+		type sepgsql_trusted_domain_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	typeattribute $2 sepgsql_client_type;
+
+	type $1_sepgsql_blob_t;
+	postgresql_blob_object($1_sepgsql_blob_t)
+
+	type $1_sepgsql_proc_t;
+	postgresql_procedure_object($1_sepgsql_proc_t)
+
+	type $1_sepgsql_sysobj_t;
+	postgresql_system_table_object($1_sepgsql_sysobj_t)
+
+	type $1_sepgsql_table_t;
+	postgresql_table_object($1_sepgsql_table_t)
+
+	role $3 types sepgsql_trusted_domain_t;
+
+	##############################
+	#
+	# Client local policy
+	#
+
+	tunable_policy(`sepgsql_enable_users_ddl',`
+		allow $2 $1_sepgsql_table_t  : db_table { create drop };
+		type_transition $2 sepgsql_database_type:db_table $1_sepgsql_table_t;
+
+		allow $2 $1_sepgsql_table_t  : db_column { create drop };
+
+		allow $2 $1_sepgsql_sysobj_t : db_tuple { update insert delete };
+		type_transition $2 sepgsql_sysobj_table_type:db_tuple $1_sepgsql_sysobj_t;
+	')
+
+	allow $2 $1_sepgsql_table_t  : db_table  { getattr setattr use select update insert delete };
+	allow $2 $1_sepgsql_table_t  : db_column { getattr setattr use select update insert };
+	allow $2 $1_sepgsql_table_t  : db_tuple  { use select update insert delete };
+	allow $2 $1_sepgsql_sysobj_t : db_tuple  { use select };
+
+	allow $2 $1_sepgsql_proc_t : db_procedure { create drop getattr setattr execute };
+	type_transition $2 sepgsql_database_type:db_procedure $1_sepgsql_proc_t;
+
+	allow $2 $1_sepgsql_blob_t : db_blob { create drop getattr setattr read write };
+	type_transition $2 sepgsql_database_type:db_blob $1_sepgsql_blob_t;
+
+	allow $2 sepgsql_trusted_domain_t:process transition;
+	type_transition $2 sepgsql_trusted_proc_t:process sepgsql_trusted_domain_t;
+')
+
 ########################################
 ## <summary>
+##     Marks as a SE-PostgreSQL loadable shared library module
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_loadable_module',`
+	gen_require(`
+		attribute sepgsql_module_type;
+	')
+
+	typeattribute $1 sepgsql_module_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL database object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_database_object',`
+	gen_require(`
+		attribute sepgsql_database_type;
+	')
+
+	typeattribute $1 sepgsql_database_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL table/column/tuple object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a table/column/tuple object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_table_object',`
+	gen_require(`
+		attribute sepgsql_table_type;
+	')
+
+	typeattribute $1 sepgsql_table_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL system table/column/tuple object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a table/column/tuple object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_system_table_object',`
+	gen_require(`
+		attribute sepgsql_table_type;
+		attribute sepgsql_sysobj_table_type;
+	')
+
+	typeattribute $1 sepgsql_table_type;
+	typeattribute $1 sepgsql_sysobj_table_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL procedure object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_procedure_object',`
+	gen_require(`
+		attribute sepgsql_procedure_type;
+	')
+
+	typeattribute $1 sepgsql_procedure_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL binary large object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database binary large object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_blob_object',`
+	gen_require(`
+		attribute sepgsql_blob_type;
+	')
+
+	typeattribute $1 sepgsql_blob_type;
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to search postgresql's database directory.
 ## </summary>
 ## <param name="domain">
@@ -120,3 +323,60 @@
         # Some versions of postgresql put the sock file in /tmp
 	allow $1 postgresql_tmp_t:sock_file write;
 ')
+
+########################################
+## <summary>
+##      Allow the specified domain unprivileged accesses to unifined database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`postgresql_unpriv_client',`
+	gen_require(`
+		class db_table all_db_table_perms;
+		class db_procedure all_db_procedure_perms;
+		class db_blob all_db_blob_perms;
+
+		attribute sepgsql_client_type;
+		attribute sepgsql_database_type;
+
+		type sepgsql_table_t;
+		type sepgsql_proc_t;
+		type sepgsql_blob_t;
+
+		type sepgsql_trusted_proc_t;
+		type sepgsql_trusted_domain_t;
+	')
+
+	typeattribute $1 sepgsql_client_type;
+
+	type_transition $1 sepgsql_database_type:db_table sepgsql_table_t;
+	type_transition $1 sepgsql_database_type:db_procedure sepgsql_proc_t;
+	type_transition $1 sepgsql_database_type:db_blob sepgsql_blob_t;
+
+	type_transition $1 sepgsql_trusted_proc_t:process sepgsql_trusted_domain_t;
+	allow $1 sepgsql_trusted_domain_t:process transition;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain unconfined accesses to any database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`postgresql_unconfined',`
+	gen_require(`
+		attribute sepgsql_unconfined_type;
+	')
+
+	typeattribute $1 sepgsql_unconfined_type;
+')
Index: policy/modules/services/apache.te
===================================================================
--- policy/modules/services/apache.te	(revision 2668)
+++ policy/modules/services/apache.te	(working copy)
@@ -475,6 +475,7 @@
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
+	postgresql_unpriv_client(httpd_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
Index: policy/modules/services/apache.if
===================================================================
--- policy/modules/services/apache.if	(revision 2614)
+++ policy/modules/services/apache.if	(working copy)
@@ -226,6 +226,10 @@
 	')
 
 	optional_policy(`
+		postgresql_unpriv_client(httpd_$1_script_t)
+	')
+
+	optional_policy(`
 		nscd_socket_use(httpd_$1_script_t)
 	')
 ')
Index: policy/modules/services/postgresql.te
===================================================================
--- policy/modules/services/postgresql.te	(revision 2668)
+++ policy/modules/services/postgresql.te	(working copy)
@@ -1,10 +1,27 @@
 
 policy_module(postgresql,1.5.1)
 
+gen_require(`
+	class db_database all_db_database_perms;
+	class db_table all_db_table_perms;
+	class db_procedure all_db_procedure_perms;
+	class db_column all_db_column_perms;
+	class db_tuple all_db_tuple_perms;
+	class db_blob all_db_blob_perms;
+')
+
 #################################
 #
 # Declarations
 #
+
+## <desc>
+## <p>
+## Allow unprived users to execute DDL statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_users_ddl, true)
+
 type postgresql_t;
 type postgresql_exec_t;
 init_daemon_domain(postgresql_t,postgresql_exec_t)
@@ -27,6 +44,58 @@
 type postgresql_var_run_t;
 files_pid_file(postgresql_var_run_t)
 
+# database clients attribute
+attribute sepgsql_client_type;
+attribute sepgsql_unconfined_type;
+
+# database objects attribute
+attribute sepgsql_database_type;
+attribute sepgsql_table_type;
+attribute sepgsql_sysobj_table_type;
+attribute sepgsql_procedure_type;
+attribute sepgsql_blob_type;
+attribute sepgsql_module_type;
+
+# database object types
+type sepgsql_blob_t;
+postgresql_blob_object(sepgsql_blob_t)
+
+type sepgsql_db_t;
+postgresql_database_object(sepgsql_db_t)
+
+type sepgsql_fixed_table_t;
+postgresql_table_object(sepgsql_fixed_table_t)
+
+type sepgsql_proc_t;
+postgresql_procedure_object(sepgsql_proc_t)
+
+type sepgsql_ro_blob_t;
+postgresql_blob_object(sepgsql_ro_blob_t)
+
+type sepgsql_ro_table_t;
+postgresql_table_object(sepgsql_ro_table_t)
+
+type sepgsql_secret_blob_t;
+postgresql_blob_object(sepgsql_secret_blob_t)
+
+type sepgsql_secret_table_t;
+postgresql_table_object(sepgsql_secret_table_t)
+
+type sepgsql_sysobj_t;
+postgresql_system_table_object(sepgsql_sysobj_t)
+
+type sepgsql_table_t;
+postgresql_table_object(sepgsql_table_t)
+
+type sepgsql_trusted_proc_t;
+postgresql_procedure_object(sepgsql_trusted_proc_t)
+
+# Trusted Procedure Domain
+type sepgsql_trusted_domain_t;
+domain_type(sepgsql_trusted_domain_t)
+postgresql_unconfined(sepgsql_trusted_domain_t)
+role system_r types sepgsql_trusted_domain_t;
+
 ########################################
 #
 # postgresql Local policy
@@ -42,7 +111,21 @@
 allow postgresql_t self:udp_socket create_stream_socket_perms;
 allow postgresql_t self:unix_dgram_socket create_socket_perms;
 allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+allow postgresql_t self:netlink_selinux_socket create_socket_perms;
 
+allow postgresql_t sepgsql_database_type:db_database *;
+type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
+
+allow postgresql_t sepgsql_module_type:db_database install_module;
+allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
+allow postgresql_t sepgsql_procedure_type:db_procedure *;
+allow postgresql_t sepgsql_blob_type:db_blob *;
+
+# server specific type transitions
+type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
+type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_t;
+type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
+
 manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
 manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
 manage_lnk_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
@@ -75,6 +158,9 @@
 manage_sock_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t)
 files_pid_filetrans(postgresql_t,postgresql_var_run_t,file)
 
+# Database/Loadable module
+allow sepgsql_database_type sepgsql_module_type:db_database load_module;
+
 kernel_read_kernel_sysctls(postgresql_t)
 kernel_read_system_state(postgresql_t)
 kernel_list_proc(postgresql_t)
@@ -101,6 +187,12 @@
 fs_getattr_all_fs(postgresql_t)
 fs_search_auto_mountpoints(postgresql_t)
 
+selinux_get_enforce_mode(postgresql_t)
+selinux_validate_context(postgresql_t)
+selinux_compute_access_vector(postgresql_t)
+selinux_compute_create_context(postgresql_t)
+selinux_compute_relabel_context(postgresql_t)
+
 term_use_controlling_term(postgresql_t)
 
 corecmd_exec_bin(postgresql_t)
@@ -126,7 +218,7 @@
 
 miscfiles_read_localization(postgresql_t)
 
-seutil_dontaudit_search_config(postgresql_t)
+seutil_libselinux_linked(postgresql_t)
 
 userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
 
@@ -167,3 +259,75 @@
 optional_policy(`
 	udev_read_db(postgresql_t)
 ')
+
+########################################
+#
+# Rules common to all clients
+#
+
+# Client domain constraint
+neverallow ~{ postgresql_t sepgsql_client_type sepgsql_unconfined_type } sepgsql_database_type:db_database access;
+
+allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
+type_transition sepgsql_client_type postgresql_t:db_database sepgsql_db_t;
+
+allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
+
+allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete };
+allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
+allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
+
+# Dontaudit deny logs in row-level access control
+dontaudit sepgsql_client_type { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple *;
+
+allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
+allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
+
+allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute };
+allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint };
+
+allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
+allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
+
+tunable_policy(`sepgsql_enable_users_ddl',`
+	allow sepgsql_client_type sepgsql_table_t:db_table  { create drop setattr };
+	allow sepgsql_client_type sepgsql_table_t:db_column { create drop setattr };
+	allow sepgsql_client_type sepgsql_sysobj_t:db_tuple  { update insert delete };
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow sepgsql_unconfined_type postgresql_t:db_blob { import export };
+
+allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
+
+allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
+type_transition sepgsql_unconfined_type postgresql_t:db_database sepgsql_db_t;
+
+allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
+
+allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *;
+allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto };
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_t;
+
+allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
+
+optional_policy(`
+	kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
+')
Index: policy/modules/services/postgresql.fc
===================================================================
--- policy/modules/services/postgresql.fc	(revision 2614)
+++ policy/modules/services/postgresql.fc	(working copy)
@@ -6,8 +6,8 @@
 #
 # /usr
 #
-/usr/bin/initdb			--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/initdb(\.sepgsql)?	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/(se)?postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 
 /usr/lib/pgsql/test/regres(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
 /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
@@ -30,8 +30,12 @@
 /var/lib/pgsql/data(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
 /var/lib/pgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)
 
+/var/lib/sepgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/sepgsql/pgstartup\.log	--	gen_context(system_u:object_r:postgresql_log_t,s0)
+
 /var/log/postgres\.log.* 	--	gen_context(system_u:object_r:postgresql_log_t,s0)
 /var/log/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/sepostgresql\.log.*	--	gen_context(system_u:object_r:postgresql_log_t,s0)
 
 ifdef(`distro_redhat', `
 /var/log/rhdb/rhdb(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
Index: policy/modules/system/userdomain.if
===================================================================
--- policy/modules/system/userdomain.if	(revision 2668)
+++ policy/modules/system/userdomain.if	(working copy)
@@ -1201,6 +1201,10 @@
 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')
 
+	optional_policy(`
+		postgresql_userdom_template($1,$1_t,$1_r)
+	')
+
 	# Run pppd in pppd_t by default for user
 	optional_policy(`
 		ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@@ -1371,6 +1375,10 @@
 	')
 
 	optional_policy(`
+		postgresql_unconfined($1_t)
+	')
+
+	optional_policy(`
 		userhelper_exec($1_t)
 	')
 ')
Index: policy/modules/system/libraries.te
===================================================================
--- policy/modules/system/libraries.te	(revision 2656)
+++ policy/modules/system/libraries.te	(working copy)
@@ -109,3 +109,8 @@
 	# blow up.
 	rpm_manage_script_tmp_files(ldconfig_t)
 ')
+
+optional_policy(`
+	postgresql_loadable_module(lib_t)
+	postgresql_loadable_module(textrel_shlib_t)
+')
Index: policy/modules/system/unconfined.if
===================================================================
--- policy/modules/system/unconfined.if	(revision 2655)
+++ policy/modules/system/unconfined.if	(working copy)
@@ -88,6 +88,10 @@
 	')
 
 	optional_policy(`
+		postgresql_unconfined($1)
+	')
+
+	optional_policy(`
 		seutil_create_bin_policy($1)
 		seutil_relabelto_bin_policy($1)
 	')
Index: policy/modules/system/init.fc
===================================================================
--- policy/modules/system/init.fc	(revision 2614)
+++ policy/modules/system/init.fc	(working copy)
@@ -38,6 +38,8 @@
 #
 # /usr
 #
+/usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[KaiGai Kohei]

Christopher J. PeBenito wrote:
> On Fri, 2008-03-28 at 13:50 +0900, KaiGai Kohei wrote:
>>>> Do you consider they are really complex type_transition rules now?
>>>> They are not conditional, not set operations.
>>> Sounds like they are ok, but I'd have to see the policy to make sure.
>> I'm sorry, I din't submit the latest one yet, although I gave assurance
>> to update some points you pointed out.
>>
>> The attached one is the latest one.
>> Please confirm this version.
>>
>> Significant updates:
>> - kernel_relabelfrom_unlabeled_database() is added to kernel/kernel.if.
>>    It enables sepgsql_unconfined_type to relabel unlabaled_t to other types.
>> - Any types/attributes/booleans are declared at the head of services/postgresql.te.
>> - postgresql_userdom_template() requires tree arguments of prefix, domain and role.
>> - Naming convention is changed. When userdomain tries to create a new object,
>>    it is labeled as FOO_sepgsql_table_t, not sepgsql_FOO_table_t.
>> - The target of type_transition is unconditional.
>>    If userdomain create a new objects, it is always labeled as FOO_sepgsql_xxx_t.
>>    If others create a new one, it is always labeled as sepgsql_xxx_t.
>> - A new attribute of sepgsql_unpriv_client_type provides baseline permissions to
>>    attached domain. It is necessary to avoid to deploy sepgsql_enable_users_ddl
>>    boolean within interfaces.
>> - The meanings of sepgsql_client_type is changed. It means a set of domains
>>    connectable to SE-PostgreSQL.

Chris, I'm sorry for my late responding.

> I'd like to wrap this one up, so I spent some time revising the patch
> (attached).  Its just about ready to merge.  Is the neverallow really
> needed?

It might be a too much restriction.
I agree to drop the neverallow rule.

> Also, I'd still strongly urge you to reconsider adding the
> postgresql_contexts file with the default object labels.  I think this
> is the clearest example why:
> 
> type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
> 
> What object is being transitioned on?  Other type transitions are
> clearer: a file being created in a directory or a message enqueued to a
> message queue.  I won't block merging the policy over this, but I think
> the postgresql_contexts is the better method.

This type transition rule means a new database is created on a database
management system. A database management system can maintain several
databases in same time, like several files are placed under a directory.
An only difference between a directory and a database management system
is whether it is a process, or not. So, I don't think it is unnatural
method to decide a correct context of newly created database.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[KaiGai Kohei]

>> type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
>>
>> What object is being transitioned on?  Other type transitions are
>> clearer: a file being created in a directory or a message enqueued to a
>> message queue.  I won't block merging the policy over this, but I think
>> the postgresql_contexts is the better method.
> 
> This type transition rule means a new database is created on a database
> management system. A database management system can maintain several
> databases in same time, like several files are placed under a directory.
> An only difference between a directory and a database management system
> is whether it is a process, or not. So, I don't think it is unnatural
> method to decide a correct context of newly created database.

In properly speaking, I oppose to drop type_transition rule for a newly
created database object, don't oppose the postgresql_contexts file.
I noticed they are not exclusive options after a carefull consideration.

The biggest concern of dropping type_transition is that we cannot decide
what security context should be attached for a new database when
the postgresql_contexts is lost, if we completely depends on this file.
We can help the situation, if we can decide it with type_transition rule
when the file or proper entries are not found.

If you feel strange to use the context of server process as the target
of the type_transition, using the root directory of database cluster
is an alternative idea. (It is '/var/lib/sepgsql/data' in default.)
Any database files are placed under the directory, like filed placed
under a directory.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[KaiGai Kohei]

Christopher J. PeBenito wrote:
> (sorry for the dupe KaiGai, but I got a delivery failure on the nsa addresses)
I have not got this message via nsa list. :-(

> On Mon, 2008-05-12 at 23:33 +0900, KaiGai Kohei wrote:
>>>> type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
>>>>
>>>> What object is being transitioned on?  Other type transitions are
>>>> clearer: a file being created in a directory or a message enqueued to a
>>>> message queue.  I won't block merging the policy over this, but I think
>>>> the postgresql_contexts is the better method.
>>> This type transition rule means a new database is created on a database
>>> management system. A database management system can maintain several
>>> databases in same time, like several files are placed under a directory.
>>> An only difference between a directory and a database management system
>>> is whether it is a process, or not. So, I don't think it is unnatural
>>> method to decide a correct context of newly created database.
>> In properly speaking, I oppose to drop type_transition rule for a newly
>> created database object, don't oppose the postgresql_contexts file.
>> I noticed they are not exclusive options after a carefull consideration.
>>
>> The biggest concern of dropping type_transition is that we cannot decide
>> what security context should be attached for a new database when
>> the postgresql_contexts is lost, if we completely depends on this file.
>> We can help the situation, if we can decide it with type_transition rule
>> when the file or proper entries are not found.
> 
> I'd say its not unreasonable to require that postgresql_contexts exists.
> If it doesn't, it could just create the databases unlabeled, or the
> services fails to start when its missing.  I don't know which is the
> better answer, so I'll reference another object manager.  Eamon, what do
> you do in the X server when the x_contexts file is incomplete or
> missing?

Hmm...
Because the policy does not allow to create a database with unlabeled_t,
I will choose the later option (failing services when starting up).

Is it possible to add a new initial security context to provide a fallback
context of newly created databases as an alternative of "unlabeled"?
It will be better, if we can got a proper context when the postgresql_context
is missing.

>> If you feel strange to use the context of server process as the target
>> of the type_transition, using the root directory of database cluster
>> is an alternative idea. (It is '/var/lib/sepgsql/data' in default.)
>> Any database files are placed under the directory, like filed placed
>> under a directory.
> 
> I think that this is much less desirable option than what we have right
> now.  Database objects don't exist outside of postgresql since its a
> userspace object manager.  The fact that they're stored as files in a
> directory isn't relevant from the database object's perspective.

OK, please forget this idea.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.